Seanad Éireann - Volume 120 - 06 July, 1988
Data Protection Bill, 1987: Second Stage.
Question proposed: “That the Bill be now read a Second Time”.
Minister for Justice (Mr. Collins) Gerard Collins
Minister for Justice (Mr. Collins): The object of this Bill is to enable Ireland to ratify the 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data. For convenience of reference, the text of the Convention is set out in the First Schedule.
The Convention has three main features. It sets out a number of basic principles for the protection of individual privacy in the handling of automated personal data. It has special rules on transborder flows of personal data and, finally, it provides machinery for mutual assistance and consultation between the contracting parties. As the provisions of the Convention are being given effect to by the Bill, it may be convenient to deal with the Bill under those three headings.
First of all, the basic principles of data protection are set out in sections 2 (1), 4 and 6 and require any person who controls the contents and the use of automated personal data — what the Bill calls a “data controller”— to observe proper standards in the collection and processing of the data. In general, they require that the information consisting the data must have been collected fairly; must be accurate and, where necessary, kept up to date; must not be used or disclosed in any manner incompatible with the purposes for which they are kept; must be adequate, relevant and not excessive in relation to those purposes; and must not be kept for longer than is necessary for those purposes. Appropriate security measures must also be taken against unauthorised access to, or alteration, disclosure or destruction of the data and against their accidental loss or destruction. Finally, a person who is the subject of the data — the “data subject” — must be given a right of access to the data, and any data that are incorrect or misleading must be corrected or erased.
As regards transborder flows of personal data, the Bill implements article 12 of the Convention. That article is aimed at reconciling, as between the contracting states, the simultaneous and sometimes competing requirements of data protection and the free flow of information. Its main provision is that transborder data flows between contracting states should not be subject to any special controls. That provision is a corollary of the requirement earlier in the Convention that all contracting states should incorporate in their law common principles of  data protection, guaranteeing a certain minimum protection to data subjects in all countries where the Convention is in force. The adoption of such a common set of legislative principles by contracting states has the additional advantage of leading to a general harmonising of laws and a resultant decrease in the possibility of conflicts of law or jurisdiction.
However, article 12 also provides that a party to the Convention can prohibit or restrict the export of personal data in two cases. It can do so, first, if its legislation has specific regulations governing certain categories of personal data because of the nature of those data — what is in mind here is sensitive personal data such as health data — unless the regulations of the other contracting party give equivalent protection. It can also prohibit or restrict a transfer abroad of data to another contracting state if there is an intention to transfer the data subsequently to a non-contracting state and the object is to circumvent the data protection legislation of the exporting state. The provisions of article 12 are implemented in section 11 of the Bill.
Lastly, there are the provisions of the Convention for mutual assistance and consultation between the contracting parties. Chapter IV deals with mutual cooperation between data protection authorities and assistance to data subjects abroad. Section 15 of the Bill designates the Data Commissioner to be appointed under the Bill as an authority for the purposes of that chapter. Chapter V deals with the machinery for regular consultation between the contracting parties to facilitate the smooth running of the Convention and, where necessary, to deal with any problems that may arise with regard to both its interpretation and its practical application. The Consultative Committee established for this purpose are authorised to propose amendments to the Convention to help to solve any difficulties that may arise between the contracting parties.
While the Convention obliges contracting parties to incorporate data protection provisions into their domestic legislation, the particular measures may  take different forms, depending on the legal and constitutional system of the State concerned. Apart from laws, there may be regulations, administrative guidelines and so on and these legally binding measures may be reinforced by measures of voluntary regulation such as codes of practice.
In fact, there is a fair measure of variation in the methods used to give effect to the Convention by the member states of the Council of Europe that have passed legislation in this field. Of our EC partners, five — Denmark, France, Germany, Luxembourg and the UK — have legislation already in force. Belgium, Greece, the Netherlands, Portugal and Spain all introduced legislation some time ago but it has not yet been enacted. There is also data protection legislation in force in five other European jurisdictions — Austria, Finland, Iceland, Norway and Sweden.
In preparing this Bill we have had the advantage of examining the various systems of data protection in operation in European countries and also the proposals for legislation in the other countries I have mentioned. What we have tried to do is to build on the experience of those countries and produce a measure that will be appropriate to our conditions. provide an adequate measure of data protection without imposing an undue burden on industry or unnecessary bureaucracy and facilitate the transfer to this country of personal data for processing.
One important aspect in which the Bill differs from the legislation in force in most European countries is that we do not propose to adopt a system of universal registration or licensing of data controllers. Such a universal system was adopted by Sweden in 1973 in the first data protection legislation ever enacted and their lead was followed by many other countries subsequently, including the UK in its Act of 1984 which came into operation last November. More recently, there has been a trend towards introducing an element of self-regulation. The  Finnish legislation, dating from last January, is an example of this. Their system requires registration only of certain sensitive categories of data and a system of self-regulation of the remainder.
That brings me to the proposals in the Bill for regulating the processing of personal data and ensuring that data is dealt with in accordance with its provisions. First of all, the Bill proposes a system of selective registration for those areas of activity which it is particularly desirable for the data commissioner to monitor, such as the public sector, financial institutions, companies in relation to which individuals are likely to avail themselves of the right of access such as credit reference agencies and, finally, persons or firms who keep sensitive data, such as data relating to health, political beliefs and so on. Persons who are in the business of processing data on behalf of others are also required to register. These categories may be added to by regulations made by the data commissioner with the consent of the Minister for Justice.
All other controllers of personal data are under no obligation to register. That is the only obligation they are relieved of. They are still equally bound by the obligation imposed on all data controllers by the Bill to comply fully with the data protection provisions and, if they do not, the data commissioner has been given adequate powers to compel them to do so. In particular, every data controller, whether registered or not, is obliged by section 3 to tell an inquirer whether he keeps personal data and, if so, the purposes for which the data are kept and a description of the data.
Another distinctive feature of this legislation is the provision for codes of practice in section 13. Codes of practice have an important role in any scheme of data protection that aims at achieving a proper balance between the interests of all those concerned — that is to say, the interests of data subjects, the legitimate interests of data controllers and their particular circumstances, including the cost to them and the community at large of  providing adequate safeguards, and the benefits to the public from automation.
The fact is that any law, such as this Bill will become on enactment, can do no more than set out general principles of data protection. These cannot reflect adequately the difference in sensitivity there can be between various forms of personal data and, consequently, between the levels of security and safeguards that are appropriate in each case. Personal data can range from a person's address, which can be ascertained from the telephone directory in most cases and is normally not of any great significance to anyone, to highly sensitive information about, say, his or her sexual life.
That is why section 13 requires the data commissioner to encourage bodies representing data controllers or data processors to prepare codes of practice that will guide them in complying with the Bill and provides for his approving of codes where he is satisfied that he should do so. The codes will fill in the detail required for achieving the level of data protection that is desirable in the particular circumstances of the data controllers concerned. In so far as the codes do so, they will improve the level of data protection in those sectors.
As the codes are voluntary, they would, in practice if not in law, be binding on members of the body that had drawn them up. That would not apply, or apply to the same extent, to non-members. For that reason, and because I believe the bodies concerned would wish to have the possibility of their codes of practice having statutory effect, the section enables both Houses of the Oireachtas to give the force of law to a code of practice provided that it has been approved of by the commissioner and that it is in accordance with the principles of data protection as set out in the Bill. The code will then become enforceable in the same way as those principles are. Of course, I would expect that codes would have to be in operation for some time before the Houses would be asked to approve of them, so that by then any difficulties in their practical operation would have been  remedied. This provision further emphasises the self-regulatory content of the Bill and keeps it fully in line with developments in modern data protection legislation.
Another feature of the Bill is the imposition on data controllers and data processors — these are people who are in the business of processing data on behalf of data controllers — of a duty of care towards data subjects in their handling of personal data relating to them — that is in so far as the existing law or torts does not do so. To establish liability for damage caused by negligence, the person causing the damage must have been under a duty of care towards the injured party. Obviously that duty applies in some circumstances at present as between data controllers or processors and data subjects but there are cases where it does not exist or its existence is doubtful. For example, a data processor will frequently not have any reason to be aware of the nature of the data he is processing or to whom the data refers so that it would be difficult to contend that he owes any duty of care to the data subjects covered by the data. Nevertheless, harm could be caused to those data subjects if, say, the data became public knowledge through some failure or inadequacy in the data processor's security arrangements. Section 7 makes it clear that in such circumstances a duty of care will exist.
I should also perhaps mention section 22, which makes it an offence for anyone to obtain access to personal data, or information constituting the data, without the authority of the data controller and then to disclose it. It will cover acccess to data either by way of “hacking” — by which I mean obtaining access at a distance from the firm's computer by using the telecommunications system — or merely by direct access to a computer printout or to the information in the computer memory, as displayed on the screen. The Bill, being a purely data protection measure, does not make “hacking” itself an offence. That would be appropriate to legislation amending the general criminal law. So, under section 22, the offence will  arise only if there is both unauthorised access and disclosure.
The convention does not specifically require a contracting party to establish a data protection authority but it is difficult to see how any system can be effectively monitored or policed without having some authority with power to enforce compliance with its provisions. The Bill, therefore, provides for the appointment by the Government of a data protection commissioner who will be independent in the exercise of his functions. He will have power to investigate whether data controllers are complying with the requirements of the Bill, either on his own initiative or following a complaint from a data subject. Where he is satisfied that a data controller is not complying with the data protection provisions he can serve an enforcement notice on him requiring him to take whatever steps are necessary and it will be an offence to refuse to comply with such a notice. However, the controller will have a right of appeal to the Circuit Court against the notice and, apart from special circumstances of urgency, he need not comply with the notice until the appeal has been finally determined.
The commissioner has also power to prohibit the transfer abroad of personal data and also to require information to be given to him where this is necessary for the exercise of his functions under the Bill. While it is essential that the commissioner should have power to issue these notices and to invoke the criminal law if they are not complied with, I envisage that the commissioner would seldom, if ever, have to invoke these powers but rather that his functions would be advisory and aimed at achieving an ever higher standard of compliance with the data protection principles. In particular, there would be no question of an enforcement notice being issued as a result of a complaint without the commissioner asking for and considering the data controller's side of the story.
Senators will observe that the Bill does not apply to information contained in manual files but only to information that is in automated form. The Convention  allows its provisions to be extended to manual files and some of the countries who have ratified it have done so.
I accept fully that there is a clear case for extending the principles of data protection to manual files. There is an equal need for these files to be accurate, relevant and kept up-to-date and the information in them to be collected fairly and not used for purposes incompatible with those for which they were collected. There should be rights or access to them and rights to have inaccurate information corrected or erased. Everything that a computer can do with information can be done with the same information kept in manual form, though of course far less readily.
The fact is, however, that such an extension would place a severe administrative burden on the public and private sectors. To take one example, it is a simple matter to retrieve all the information kept about an individual from an automated data base, possibly in a matter of seconds, whereas it could take days to do so from manual records. Second, there is not the same possibility of manipulating information stored manually as there is with automated data. A computer can manipulate data at prodigious speed and the fact that it can do so much more quickly and easily makes it more likely that it will be used to do so.
For that reason we are proceeding first with the protection of automated data. The protection of manually held data is another day's work. I am sure it will come in time but I have no evidence of public concern in this regard and consequently it would have to get a lower priority than other legislative projects being dealt with in my Department.
I would like to say, in conclusion, that this Bill has been well received and that the principles underlying it have secured wide acceptance. I understand also that it is well regarded in international data protection circles. It is in the nature of this kind of legislation that advances in technology may require it to be reviewed in a comparatively short period of time — though every effort has been made in  the drafting, particularly of the definitions, to ensure that its provisions will still be applicable in spite of technological developments. Also, the ground covered is so new that it would be surprising if experience did not demonstrate the need for some changes here or there in it. For that reason it is my intention to monitor carefully the operation of the legislation and in addition, through our representation on the consultative committee established under the Convention, to keep in touch with any developments that my require amending legislation.
This is, I believe, a non-controversial Bill and I commend it to the House.
Mr. Kennedy Mr. Kennedy
Mr. Kennedy: I would like to welcome the Data Protection Bill, 1987, a Bill which the Minister has indicated is designed to protect the privacy of individuals with regard to automated personal data and to give effect in this State to the 1981 Data Protection Convention of the Council of Europe. Indeed, the objectives of the Convention are briefly set out in the preamble to the Convention. They commit the member states of the Council of Europe to (1) achieving greater unity between the member states based, in particular, on respect for the rule of law as well as human rights and fundamental freedom; (2) extending the safeguards for everyone's rights and fundamental freedoms and, in particular, the right to the respect of privacy, taking into account the increasing flow across frontiers of personal data undergoing automated processing; (3) reaffirming at the same time the commitment of member states to freedom of information regardless of frontiers and (4) reconciling the fundamental values of the respect for privacy and the free flow of information between peoples.
I welcome this Bill because I believe there is general agreement on the twin objects of the Bill, firstly, to protect the privacy of individuals in relation to personal data kept about them on computers and, secondly, to facilitate trans-border flows of data to the greatest possible extent consistent with the protection of  individual privacy. I hope this Bill is successful in its basic objective of striking a reasonable balance between the requirements of privacy and maintaining the freeflow of data internationally, with due regard as the Minister has indicated, to the need to avoid over-regulation and to minimise the burden on industry. This Bill deals with a difficult subject and is further complicated by a number of technical matters. However, the aims of the Bill are clear and straightforward and indeed common ground to Members on all sides of this House.
We do not have to be experts in computer technology or fluent in the jargon of mainframes, minis, micros and optical character readers to understand the implications of the Bill for the protection of the individual and the enhancement of his or her personal rights. The introduction of this Bill must be seen in context. Within the past decade or so, technology has advanced in ways which are truly bewildering and this technology is increasingly coming to have a direct effect and impact on all of us.
Developments which until recently were in the realms of remote scientific theory are now of clear practical application. More and more office workers operate what is known as the electronic office. Commerce, industry and government are performing an ever increasing number of tasks with the use of information technology of some kind or other. Wherever we look, the impact of technology can be seen and it is clearly here to stay. This country, like all other modern progressive countries, must be in the vanguard of technology developments and application because there are great opportunities and benefits in this area.
However, with the opportunities and benefits come also disadvantages and possible dangers. Above all, developments in information technology have revealed how easily and rapidly information can be manipulated and collated, transferred and retrieved. That information, as the Minister has indicated, may include sensitive personal information. It is entirely understandable, therefore, that this proliferation of the  technology has led to certain unease and anxiety, and that there is some anxiety that personal information is collected about us all from unknown sources, is stored in data banks and used for all sorts of purposes, of which we are unaware.
Concern about the potential threat from computers is real but it must be stressed at this stage that the threat is still primarily a potential one. Actual instances of abuse, though not unknown, are still few and far between. The most important thing, therefore, is to guard against abuse in the future and to eliminate the concern that might other wise grow into a real impediment to the use of the technology. It was 20 years ago, 1968, that the parliamentary assembly of the Council of Europe made a recommendation to the Committee of Ministers expressing their concern about whether in the context of automated data banks, the European Convention on the Protection of Human Rights and the domestic legislation of members states provided adequate protection for personal privacy. That recommendation of 20 years ago led to other recommendation and ultimately to the European convention on data protection which was open for signature in 1981. The Convention was signed on behalf of Ireland in December 1986 but we cannot ratify this Convention unless the legislation which we are discussing today is in place.
The OECD have also been active in this area, producing an important set of guidelines governing the protection of privacy and trans-border flows of personal data which Ireland also endorsed in December 1986. This international concern adds a new dimension. Business depends more and more on the free flow of data, often personal data, between countries. This free flow of information must continue if business is to flourish. At the same time, however, the threat to the individual becomes potentially greater when data are used not only here at home but in other countries and in circumstances over which the subject and often the person passing on the information has little control. In recognition  of this Convention and the guidelines both confirm the right of countries which have introduced data protection safeguards to restrict the flow of personal data to other countries which do not offer comparable protection.
Ratification of this Convention of the Council of Europe is therefore of prime importance on two grounds. First, it will reassure people in this country that when computers are used for the storage and use of personal data there are special safeguards for individual privacy which are well up to the international standard. Secondly, ratification of the Convention will gain us membership of what one might call the European data protection club, thus ensuring a very important commercial interest, that Irish firms are not placed at a disadvantage in relation to firms in other European countries.
This Bill is, therefore, aimed at furthering the interests of two groups — on the one hand the individual about whom data are held, the data subject in the jargon, and on the other hand the holder of information, the data user in the jargon. Clearly the interests of these two groups will not always coincide. Every safeguard for the subject is a potential burden to the user. Throughout our consideration of this Bill it is vital to remember the need to achieve a reasonable balance ensuring that the rights of individuals as data subjects are properly protected without imposing unreasonable burdens on data users who collect and process personal data.
This Bill entitles individuals to establish the existence of automated personal data in relation to them, to have access to that personal data — although the Minister has indicated there are some important exceptions — and to have inaccurate data rectified and erased. The Bill imposes various obligations on people who keep automated personal data. For example, the data must be accurate, kept for lawful purposes, not disclosed in any manner incompatible with these purposes and protected by adequate security measures.
At the heart of the scheme established  by the Bill lie the office of the data protection commissioner and the public register of certain data users. Thus sections 9 to 12 of the Bill provide for the appointment by the Government of a data protection commissioner who will be independent in the exercise of his functions and who will have power to investigate complaints, supervise the operation of this legislation and, where necessary, require compliance with its provisions. However, to avoid undue bureaucracy and expense, the Bill adopts what I believe is a sensible approach, a two-tier system in respect of registration rather than opting for universal registration. This system is characterised on the one hand by a requirement of registration for large scale controllers and processers, that is those whose activities are more likely to give rise to concern, and a simpler system of self regulation for those whose keeping and use of personal data is limited in scope and poses no real threat.
Initially, this Bill proposes that only certain categories of data controllers would be required to register. These will include persons and organisations keeping specially sensitive data about racial origin, political opinions, health and sexual life, organisations operating in the public sector, financial institutions and agencies concerned with such matters as credit references, debt collecting, direct mailing and marketing, and all data processers, that is those who provide computer bureau services. The requirement to register will therefore cover a very wide and extensive area of activity, an area in relation to which the public may be expected to have a concern as regards the protection of their privacy.
The Bill does not apply to personal data which is kept for State security purposes or kept by an individual for recreational purposes, etc. The Bill does not apply to personal data kept on manual files or to non-personal data, for example, data concerning companies and partnerships. However, these areas — as the Minister has quite clearly indicated in his speech — may well have to be reviewed in the light of experience, and  the Convention leaves open the possibility of extending its provisions to data processed manually if any State such as Ireland so wishes. It may be the case that certain information on individuals which is currently held on computer form may be transferred to manual records simply to avoid having to give out that information.
As of now, however, it is the ability of computers to handle vast quantities of information to build up a picture of an individual, to search for individuals with particular characteristics and to do that and much else with amazing speed, which gives rise to the most concern and anxiety. Information held on manual files is simply not capable of such manipulation and does not, I believe, give rise at this moment to the same level of anxiety and concern.
Finally, there are other positive benefits to this Bill. It will encourage Government Departments and agencies and the private sector in general to adopt better practices in the handling of personal data. For these reasons, therefore, I welcome this Bill. I note the Minister for Justice, a Limerick man, has been very busy in both Houses in recent times. We are always very pleased to have him back. We welcome the main provisions of this Bill and assure him of our help in giving it a speedy passage here today.
Mr. McEllistrim Mr. McEllistrim
Mr. McEllistrim: The object of the Bill is to give effect to the 1981 Council of Europe Data Protection Convention. This is the Convention for the protection of individuals with regard to automatic processing of personal data. The Bill entitles individuals to establish the existence of automated personal data kept in relation to them. It enables them to have access to the data and to have inaccurate data rectified or erased. The data collected could up to now be used for all kinds of purposes. It could be very sensitive information and could be used without the knowledge of the person to whom it related. Such information could be stolen, copied or obtained improperly by people who should not get it; hence this Bill will impose various obligations on  people who keep automated personal data.
The data must be accurate, kept for lawful purposes, not disclosed to anyone and protected by adequate security measures. Under this Bill the Government will have to appoint a data protection commissioner who will have power to investigate complaints and to ensure that the operation of the legislation is carried out properly. Anyone who compiles personal data will be obliged to register with the commissioner. The Bill does not apply to personal data kept for State security purposes or kept by individuals for recreational purposes, and to personal data kept on manual files or the non-personal data concerning companies and partnerships.
The Bill also provides that the Minister may designate a civil servant in his Department to be a data controller or data processor. Sections 2 to 8 deal with the protection of the privacy of individuals with regard to personal data. They include provisions relating to collecting, processing, storage, access and dissemination of personal data.
The maintenance of unrestricted data flow is particularly important for our economy, especially in view of the establishment of the International Financial Services Centre at the Custom House Docks site. This is because several European centres have legislation restricting the export of data for processing to countries which have less strict data protection laws, or perhaps none at all. The absence of data protection legislation here could thus be a factor which international companies would take into account when deciding whether to establish a business here, particularly in the area of data processing. For this reason it is desirable that the Bill be enacted and the Convention ratified as soon as possible.
The Bill proposes that initially only certain categories of data controllers will be required to register. These will be persons and organisations keeping special sensitive data about racial origin, political opinion, health, sexual life and other organisations operating in the public sector and financial institutions  and agencies concerned with credit references, debt collection, direct mailing and direct marketing. All data processors who provide a computer bureau service must be registered. The requirement to register will cover a wide area of activity and will protect the privacy of the public. All persons and bodies who keep automated personal data will not be required to register, but will be equally bound by the general provision of the Bill. Complaints about these bodies can be investigated by the commissioner in the same way as he investigates complaints about those who are registered.
I am delighted that section 14 provides for the commissioner to prepare an annual report on his activities and to cause it to be laid before each House of the Oireachtas. The Bill is designed to provide adequate safeguards to individuals against any abuse of their privacy arising from automatic processing of personal data concerning them. It will encourage Government Departments and agencies and private sector companies to adopt better practices in the handling of personal data and not to keep data longer than necessary.
I welcome this Bill. It is very important for our country, especially for our people, and it will provide a safeguard for them against the nuisance of personal data compiled against them. I hope the Bill will get as speedy a passage through this House as it did through the Dáil.
Mr. Ferris Mr. Ferris
Mr. Ferris: I welcome the Minister back to the House with this legislation. Minister Collins has always treated this House with the respect it deserves and has always co-operated with Senators in trying to improve legislation. The Minister will find today that we will co-operate on this legislation which I think will get a speedy passage through the House. Possibly there will be all party agreement that we take all Stages of the Bill today. Considering the way in which the Bill has been dealt with in the Dáil, it will not be necessary to have detailed amendments on Committee Stage. I think that is the  view of the other Members of this House too.
This is a highly technical Bill ranging over 35 sections, seven chapters and three Schedules. It is probably the advances of technology, to which Senator Kennedy has referred, that have necessitated the Government to legislate to protect the right of the individual in this area of data collection, the way this data will be used, while at all times maintaining balance between the individual's right to privacy and the purpose for which the data will be used in the future.
People in public life have very little difficulty dealing with the fact that the public know everything about us. Everybody is aware of our political affiliations and our ideological view on most economic subjects with which we deal every day, but all of us, as public representatives, would like to believe we are entitled to a certain amount of privacy, like everybody else. This Bill addresses itself to that area of specific privacy, that is, the privacy one one's health, and the health of members of one's family, and we feel that if this information is documented for any reason by hospitals, institutions, the VHI board, an insurance company, or anybody else, that it should be private and used only by the institution in the carrying out of their functions.
I have no problem with people who want their religious beliefs to be confidential. Generally speaking, in Ireland in particular, people's religious beliefs are commonly known and are often a source of pride. People publicly state their religious beliefs. They also state their views in a whole range of areas, such as in social legislation. Privacy in the areas of politics and religion does not concern me, but the ordinary citizen likes to feel their political beliefs are confidential, although generally speaking good, gut politicians would have a fair idea of the political affiliations of their constituents.
I do not believe that this data protection legislation will indemnify our constituents in respect of the knowledge that we already have. It is reassuring to know that information of a political nature  obtained by illicit means has, in other countries, resulted in the resignation of Presidents when it became public knowledge and was generally considered unacceptable behaviour. From that point of view the Bill has the right kind of balance with fines of up to £50,000 if people go beyond their remit in this area and are found guilty in a court; they are liable to fairly extensive fines if they misuse the information.
We are conscious all the time that information sought and gathered particularly by financial institutions in the course of their business should be and must be confidential, and should never be released by them to anybody else for any purpose. It would be contravening the spirit of this legislation if financial institutions felt free to disclose that kind of confidential information to anybody else. In this day and age of credit cards and documentation of all sorts, financial institutions have access to information about people's financial affairs and their credit worthiness and other people should not be able to get that information except from the individual. I am pleased to see that, in the area of the public sector, whether it is in social welfare, health or in the financial area by way of banking institutions, credit finance companies, hire purchase companies and others, there will be regard to the privacy of the individual in respect of the information that is already processed.
This is highly technological. We have the idea that people with a computer can with the press of a button, have the information they require about most people in any country. It is a frightening thought. So it is appropriate that there should be in this area legislation common to other countries in Europe. Since other countries have introduced this legislation already the Minister has the knowledge that they have used in bringing forward this legislation. Other countries have made complete registration obligatory. The Minister has opted for optional registration for some types of data collectors. Why did the Minister leave that option? If we are not aware of why they have the option to register or not, how do we  know who is collecting data? If there is a registration process for everybody at least we will know who is registered and who has the right to obtain information, to check its authenticity or to have it erased or changed if necessary. If there are some people who do not necessarily have to register, the information they may have may not necessarily be available to those who show concern in this area. I am quite sure that there is a valid reason. It may be peculiar to our own situation in Ireland as a small nation, an island nation with our own computer processing equipment and our own data banks. Possibly it may be necessary for everybody to register because the Minister has made reference to this and the Bill makes a reference to it also.
We welcome the fact that any regulations arising from this legislation will be laid before the Houses of the Oireachtas which will give us an opportunity to discuss them. The fact that there is a reporting procedure will give us an opportunity to review the operation of this legislation 12 months down the road. The report from the commissioner will help in doing that in the Oireachtas.
We in the Labour Party welcome the concept of protecting individuals' right to privacy so that any information that might be gathered about them will not be made widely available without the approval of otherwise, or the knowledge at least, of the person who has been documented. We want to facilitate the Minister in regard to all Stages if the Government side of the House consider it is advisable to have this legislation on the Statute Book as quickly as possible.
Professor Eogan Professor Eogan
Professor Eogan: I also welcome this Bill. I would see it as part of a wider process leading to much greater freedom of information. On the other front, I am totally bewildered by the enormous advances in technology which have taken place within recent years, advances not only in techniques but in terminologies. I honestly do not know at the moment whether I am an individual or a data subject. Then we have to move into other terminologies such as hacking and so on.  Sometimes I feel almost nostalgic for the good, simple old days of the card index. However, we are now coming towards the end of the century and everything is evolving and moving and we have got to move with it.
It is, indeed, true to say that computers are a very powerful tool in the service of all of us, but we also have to take into account, and this is a good thing, that there is also a human background. Indeed, computers may on occasion be fed wrong information and this can adversely affect the lives of people.
In looking at the Bill on its face value, the whole problem of data protection looks simple but, in fact, it is much more involved as I am sure the Minister and all of us will agree. This Bill will place restrictions on some individuals or corporations. On the other hand, it does provide access to information, not only to check on information about an individual but also to correct information. To achieve all of this a correct balance is of course crucial. In looking through the Bill we must say that a free flow of data is essential, especially to business. It is also clear that abuses can arise. I am sure all of us in our daily lives here stories about people having difficulties with financial institutions and so on. However, taking into account the complicated nature of this proposed legislation, I would like to congratulate the Minister and all concerned on bringing before us this Bill. It is very timely; it is essential. It is by no means a simple and straightforward issue and that is clear from the various sections before us.
I am trying to clarify some points in my own mind rather than make a major contribution for the very good reason that there are so many complicated issues and sections within the Bill itself. It is quite clear to me that the Data Protection Bill has major implications for those involved with computer data on individuals. It is, therefore, important to understand exactly who this Bill will affect and what type of data it refers to.
Much of the Bill deals with the right of  data subjects to gain access to information about themselves. In this connection one may say that, if there is a name and address on a computer file, this file, with out doubt, contains personal data, but if the data subject is identifiable through an identity number or other unique code on the data the position is not so clear. Furthermore, in reading through the Bill it appears that data are personal data if the individual may be identified using other data in the possession of a data controller, but a data controller is himself defined as somebody involved with personal data. It thus seems that the definition of personal data involves, in some instances at least, determining who or what is a data controller.
That brings me on to the role of this very important post of data controller. Perhaps I have misinterpreted the Bill in some way but it is somewhat unclear to me whether the data controller must always be an individual. The Bill uses the phrase “person, alone or with others”. That is the definition outlined in the Bill but one may ask if a group can be a data controller or can individual members of a group all be data controllers for the same data. This has a major implications with regard to liability under the Bill and other aspects of it. For instance, if the data controller must be an individual, one might ask: is he or she a data controller by virtue of what he or she does, or can a person be designated a data controller, thus taking on the necessary responsibilities?
Further aspects with regard to data controllers come in under the Bill. It is true that a number of duties will be imposed on data controllers as a result of the Bill. These are often referred to as the data protection principles and they are laid out clearly in the Bill. For instance, we are told that data can be kept only for one or more specified and lawful purposes, that the data shall be adequate, relevant and not excessive in relation to that purpose or those purposes and that the data shall not be kept for longer than is neccessary for the purpose or those purposes. All these duties and  obligations of data controllers are, therefore, quite reasonable. It should be noted that an offence is not committed under the Bill by disregarding these principles in general.
Under the Bill the commissioner or another individual may serve an enforcement notice requiring compliance with the data protection principles. Disregarding such notice will be an offence. That leads me on to another aspect of the Bill, the question of registration, which is a vital aspect. As the Minister has said data controllers who are involved with certain aspects of sensitive information must register. Furthermore, there are related, quite stringent requirements, which could constitute an offence if they are not adhered to. Essentially, a data controller who is registered may not keep personal data of any description unless it is described in the register. He may only use it and obtain it from sources as specified in the register. He may only disclose it to those specified at registration and may not send it to a country not described in the entry for that data. An employee of the data controller is subject to the same restrictions. This highlights the need for a very thorough and complete registration of a set of data, or a data controller may find himself limited as to what he may or may not do with the data.
I am also glad that there is a section in the Bill dealing with research. This could be a tricky aspect and naturally may involve some subjects more than others. I can see certain problems with regard to medical research, for instance, unless one adheres very strictly to the code. There is no point in passing Bills unless they are implemented and adhered to. With regard to some of the medical problems — and I refer to that as one of the sensitive areas mentioned — one might ask: does every consultant have to be a data collector and, as such, does he have to pay registration fees? With regard to certain aspects of research — again it is really within these sensitive areas — if a medical consultant has to register he will then have to pay fees. Some of his work may be solely for research purposes and therefore, I wonder would it be possible  to consider a sliding scale of fees for registration.
We must be careful about other aspects of the contents of the Bill. I agree not only to the right of access to information but also to modification. It is true to say that, if incorrect information is stored, no matter where it is stored, facilities must be given to ensure that the data are made accurate by supplementing them with a covering statement or actually altering them. Notification of modification must be facilitated and I am glad that the Bill has the facilities to do so. I am also interested in the general structure of the Bill, the role of the commissioner, for instance, and the general control that will be exercised in the implementation of this Bill.
I have already stated the obvious, that is, technology is moving very fast. Day to day we see vital and fundamental changes taking place. In that connection I was particularly gratified to hear the Minister state this morning that he will be quite prepared to review, even within a comparatively short period, and to monitor the effect this Bill is having. With those possibilities about further change, should they be necessary, I think the Minister is doing an exceedingly important job. I wish this Bill a speedy passage.
Mr. B. Ryan Mr. B. Ryan
Mr. B. Ryan: This Bill is most welcome and I compliment the Minister. Not just in this country but collectively, we have, been a bit slow to respond to the extraordinary changes that have taken place, to which Senator Eogan has referred. I am always reminded of the scale models that are produced of what computers can do now by comparison even with 20 years ago. I know that the average desktop micro-computer that many members of the Orieachtas now have at their disposal, which may do no more than word processing but which is essentially a computer is such that what 25 years ago would have occupied an average size room now occupies the same space on a desk as an ordinary typewriter. Associated with that is the capacity to store and even to move manually large volumes of data on a  floppy disc so that the equivalent of one, two or three full size books can be carried on one disc and thus the volume that would be occupied by the equivalent of 20 or 30 books can easily be carried by somebody in his or her pocket.
Apart from the extraordinary capacity to transfer data electronically, the capacity of agencies to store data has been transformed to an extent that I think 20 or 25 years ago was unimaginable. The likelihood is that the transformation that will take place in the next 25 years is, even by those who know most about this subject, unimaginable. In the consumer computer magazines the speculation is that the sort of computer scale that was only available to major multinational corporations or to large State agencies could well be accessible to the average individual, or even at least to the very small businesses, within another ten years. The idea that there will be things called large computers is almost a thing of the past. At the same time the quality of electronic data transmission facilities that are available through telecommunications has been transformed as well. There is the capacity to move large quantities of data and also the capacity to gain access to it.
To a certain extent, however well we may think we have adjusted, we all share the memory of the day of the old card index. The one great thing about massive amount of paper information was that it took an enormous amount of work to dig out information about either one individual or a group of individuals. It does not take a lot of computer expertise to know that the most elementary data bases of the kind that are available for £20 or £30 for the average micro-computer can do a search through perhaps 2,000 records inside five seconds and generate in five seconds the sort of records about an individual that if they are kept on paper could well take somebody the best part of a day, if not a week, to assemble.
It is not just the question of the quantity of information that is being kept, because perhaps that will not run too fast ahead for us; it is the accessibility and the  ease of access to that information that represents the possible invasion of privacy, which is one of the objectives of this Bill and also the possibility of the abuse of that information for a variety of commercial and other reasons. Therefore, it is welcome that we are introducing legislation like this and it is also welcome that most of the western democracies have developed a similar position.
May I say, too, that having had a particular interest in it I welcome Senator Eogan's references to the need for a gradually expanding commitment to freedom of information. I look forward to the pursuance of the “almost” commitment that was given by the Minister here during our debate on freedom of information by the Government to pursue the matter of freedom of information generally as distinct from this very necessary and very welcome legislation. I do not think anybody has a monopoly of wisdom on how to deal with freedom of information. Anything I contributed was an attempt to move a debate along rather than to help to produce a formula which is an absolute solution.
The concept of freedom of information and access to records is one of the best guarantees of ensuring that whatever is recorded or stored, whether it be electronically or manually, is necessary and is not an abuse of position by anybody. There have been quite disturbing stories of perfectly respectable citizens being told by financial institutions that they could not be loaned money and they met a stone wall of resistance when endeavouring to find out why. These are people who never in their lives dreamed that there was any problem, who had never had problems with financial institutions and suddenly are told that they would not be loaned money. There is almost an echo of Big Brother about it. My own suspicion is that that probably is a product of mistaken use of information and confusion of identity. The best person to correct such confusion is the person who is the victim of the mistake. This Bill will go a long way towards ensuring just that.
We need to keep ourselves very clearly informed about the possibilities that arise  from the enormously accessible data that is now available, the speed of transmission and also the fact that, to a certain extent, large bodies will tend to accumulate and retain more information because of the ease with which that information can be accumulated and retained. It is not as much of a chore anymore. Even though it is a little intimidating we would want to understand — particularly those of us in political life — what is happening, so that we retain control of what is happening, so that the political system is firmly in control of how these potentially great benefits to our society are dealt with and to ensure that the potential misuse is regulated and controlled.
It is true, of course, that electronic data processing has also been a considerable asset to law enforcement, to international co-operation in law enforcement, to the capacity of security forces to have access to good, solid information on individuals who are the subject of criminal investigations without the enormous painful paperwork that used to have to be gone through. One can only think of an unfortunate British television series of recent years who chose to give an impression that the Irish security forces had never heard of computers until this British genius came along to explain it all to them whereas I am aware that the Garda have been using — and by and large one could not argue with the way it is being used — computer data banks to facilitate and expedite their own activities. That is a correct use of modern facilities to protect all of us from those who make our lives difficult if not impossible.
Therefore, I welcome what is in the Bill. I do not intend to go into it in detail but there are a number of questions I would like to ask. It is a welcome fact that we are going to develop a system of control of data storage. We all have our opinions about the structures of that system but it is not necessarily an argument. As the Minister has said, we are all to a certain extent involved in the learning process and, therefore, there are no absolutes or rigid definitions at this stage. We will learn and assess from the  experience of other people. I am very glad to see that he has identified this.
He has chosen not to do a number of things that other countries have done. In the UK there is a comprehensive requirement on all people who keep electronic data to register and this is a major cause of concern to small scale, almost hobby, micro-computer users, according to some magazines. We are not going to do this here because it is probably unnecessary and is definitely an extra burden on ordinary people. My understanding is that under the United Kingdom-type legislation, Members of either House of the Oireachtas, for instance, who chose to keep their information on their constituency work on computer would have to register with the Data Commissioner. I do not think that is a necessary requirement. The general requirement of self-assessment and self-enforcement is a better and more acceptable option.
I should like to put a number of questions to the Minister about the Bill. I am a little disappointed that the definition of “inaccuracy in data” is confined to lack of correctness or being misleading as to any matter of fact. From my limited experience working with voluntary organisations I am aware that opinions can be almost as damning as factual information. People can have opinions about a variety of matters dealing with individuals such as their mental condition, their suitability for lending and so on which may not be factual but may be quite misleading and wrong. I would hate if there was a loophole in the legislation under which information on an individual which was not of a factual nature but amounted to an opinion or the personal judgment of the individual who compiled the data was not at least open to argument, if not to correction.
In his opening remarks the Minister referred to the need to strike a balance. There is an important balance involved here. It is possible that we could overload people with too many regulations in regard to this matter to a degree that would be disproportionate to the benefits being conferred on the individual or society. I am not sure the Minister is right  in exempting the whole area of manual data or data recorded on paper. I fully accept that given the volume of material that is kept on paper it would be an unfair burden on the State and private organisations to impose excessive controls but it is possible that many people will try to avoid or evade the responsibilities the legislation imposes on them by deliberately keeping some data in the future off a computer and in manual form. Is it not worth considering, at least in the immediate future, making future records kept on paper subject to controls contained in the Bill for electronically maintained records?
In the long term I would prefer that all data should be kept in this way but since nobody is quite sure of the extent of the information kept on paper in public and private offices due to the volume of paperwork and the difficulty of access to it the Minister is correct in not introducing a control on that immediately. However, I am worried about the possibility of evasion of responsibilities under this legislation in the future by those who may choose to keep records on paper. I have no objection in principle to the range of exemptions contained in the Bill and I do not think anybody could argue with them but the wording causes me concern. Section 1 (4) states:
This Act does not apply to—
(a) personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State,
Nobody would argue that information kept for the purposes of safeguarding the security of the State should be exempt from legislation like this. That is quite legitimate but I wonder if it is a proper balance between the rights of the individual and the security of the State to leave this simply up to the opinion of the Minister. It appears to me that there is a case for an element of independent judgment on issues like this. I understand  that an amendment to this effect was discussed in the other House.
It is my view that there is a good case for this although I appreciate the argument put forward by the Minister in the other House, that for much of this information the fewer people who have access to it the more secure it is. However, we are talking about delicate balances and my preference has always been for a degree of independence in this area, even if it was to be a designated member of the High Court who would have the final say. There is an important need for a balance in this regard. The provision is loaded in favour of the Minister and unnecessarily so. The objectives being set out could easily be met without that excessively generalised provision.
Section 5 deals with the restriction of the right of access. I must confess that having read subsection (1) (a) and (b) three or four times the precise meaning of paragraph (b) has evaded me. It is not the Minister's obligation to explain it to me but I appeal to him to do so. I cannot understand that provision and I would be interested in hearing an explanation of it, I do not think anybody could argue with most of the exemptions. It is correct that any information which would be prejudicial to the maintenance of good order and discipline in a prison should be exempt. However, it is not clear who makes the decision in regard to that. At least in regard to section 1 it is clearly the Minister who will take the decision and in other section the decision is left to a chief superintendent of the Garda Síochána or an officer of equivalent status in the Defence Forces. However, in other paragraphs it is not clear at what level of an agency the decision must be taken. That is the major quibble I have with section 5. It is not clear in regard to the security of prisons who will be the person to decise on this issue. Will it be the Minister, a designated officer of the Department or some other official?
In section 8, which deals with the disclosure of information in certain cases, it is clear that in paragraph (a) the information can be disclosed if in the opinion of a member of the Garda Síochána not  below the rank of chief superintendent or an officer of the Permanent Defence Forces who holds an Army rank not below that of colonel the information is required for the purposes of safeguarding the security of the State. Nobody can argue with that and that appears to be a reasonable provision. I could argue about how I, and other people, would judge what is necessary for the security of the State but the security of the State must have the right to have access to information. Again, I would prefer if there was an element of independent assessment in regard to this, particularly in regard to the way search warrants, and other warrants, must be supported by an independent agent. That would be more acceptable and would guarantee a measure of accountability.
Paragraph (b) states that if the disclosure is required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax the restrictions in the Bill do not apply. Paragraph (c) states that the restrictions do not apply if the disclosure is required in the interests of protecting the international relations of the State. What struck me about those provisions — it may be covered in a section that I may have missed or misread — is who will decide that the information is required for the purposes listed or is required in the interests of protecting the international relations of the State.
There is a slight element of a catchall phrase about some of those phrases. There is a “just in case it might be needed” feeling about them. It seems that it is not at all clear that the decisions to demand access to information for those reasons would be taken by somebody at a level of competence or of authority which would be appropriate to the breach of privacy that is involved. I am not arguing with any other issues raised in section 8. I am simply saying that it ought to be made clear that the access to data required under paragraph (b) and (c) ought to be given only on foot of serious need and on the authority of  somebody of an appropriate degree of seniority.
An Cathaoirleach An Cathaoirleach
An Cathaoirleach: Senator Ryan, I have just come in. Are we on Second Stage or on Committee Stage? What you are saying sounds a little like a Committee Stage contribution.
Mr. B. Ryan Mr. B. Ryan
Mr. B. Ryan: I would not have thought so but that is a matter for you rather than for me to decide. In conclusion, I regret that, even though the Minister mentioned this in his speech, there is not an actual prohibition on hacking as a criminal offence. Hacking is another form of burglary. It is electronic burglary. It is as improper as breaking into somebody's house, breaking open their filing cabinets and stealing their records. It is glamourised to some extent by people who are in the computer hobby business. The fact that it is carried out by people who do not perhaps act or look like criminals does not take away from the fact that it is an appalling breach of people's privacy. It is a breach of proper practice in terms of trade secrets and so on. It should be made a criminal offence and I would like the Minister to assure us that it will be made so quickly.
With those reservations I welcome the Bill and look forward to its operation. I suspect that, as happened in Britain where it was anticipated that there would be a flood of people wishing to find out personal data but where from recent reports the number was fewer than 100, if not fewer than 50, the same will happen in this country until perhaps there is some upsurge and somebody will be swamped with information. It is important that in the whole area of the assessment of the credit worthiness of individuals, people should have the right of access to such information. Whatever about the security of the State in cases involving major issues, many private agencies make decisions about ordinary citizens on the basis of what is often less than reliable information so people ought to have the right of access to the correct information. I welcome the Bill and compliment the Minister on bringing it before the House.
Mr. McKenna Mr. McKenna
 Mr. McKenna: Like the other Senators, I extend a very warm welcome to this Bill and congratulate the Minister on bringing it forward. It is very appropriate at this time. As Senator Ryan has said, it is absolutely mind-boggling to think of the developments that have taken place in recent times in relation to the whole computer business. One wonders what further developments will be made in the next 20 years. This Data Protection Bill is very appropriate at present. I have always been a strong advocate of the protection of individuals rights relative to the automatic processing of personal data. Like Senator Ryan, I think that experience will show that eventually we will be obliged to enact legislation to cover personal data which is held in all media as well as that which is proposed for electronic media.
I have had the experience of a family in my constituency — this relates to credit worthiness which was referred to by Senator Ryan — who were very hard working and had never been in trouble or difficulties. When the time came for their eldest son to attend third level education they applied to a financial institution for funding for that purpose but were turned down. They could not understand the reason for this and when they inquired from the financial institution they were told that their personal history was not satisfactory. They were amazed at this answer and asked for details of the information on the file. They were told that there was no legislation to force that institution to give that type of information. The family were absolutely shattered. They felt that their good name had been taken away and, as far as they were concerned, for no good reason.
I witnessed another example of an oil company which funds the installation of central heating. The family in question filled a form giving details of their commitments and so on but the oil company refused the funding for the work. A week later the same family were given a proposal form by another oil company stating that they were prepared to fund the installation. In this case individuals were collecting data on families, giving it to  one oil company and recommending that these people should not get the funding while at the same time recommending to another oil company that they should get it. These individuals were gaining on both sides. They could not lose. They were knocking the person to one oil company and recommending him to another. That practice is absolutely deplorable but this legislation will rectify it. The legislation probably should have been in place many years ago.
An individual has a right to the information that is stored about him or her. He has a right to get a copy of the data to ensure that it is accurate and he has a right to compensation if inaccurate data has damaged him in any way. If the information is not accurate the person has a right to have it rectified or erased. I welcome this legislation from the point of view of strengthening individuals' rights. The Bill proposes to give to individuals rights of access to personal data which is held by others and I hope that individuals will make use of those rights.
There are serious implications for businesses in the implementation of the legislation. I say serious implications from the point of view that if they do not comply with the legislation they will have to endure fairly severe sanctions. No serious problems will arise for businesses if they adopt a positive approach and carry on their businesses with the normal good practices that most companies uphold. In other words, if the operation of the companies complies with the generally accepted standards already in practice there will not be a great impact on companies' operations other than in a few areas. The companies, as the Bill outlines, will have to make sure that information is obtained and processed lawfully, that the data will be accurate and kept up to date, that it must be held for legitimate and specified purposes, that the data will only be used or disclosed in a way which is compatible with these purposes and that it will be adequate, relevant and not excessive in relation to specified purposes. Individuals would expect that companies would, in the normal course of their business, carry out  these practices in a fair and reasonable manner. It is not expecting too much from them to comply with those regulations as it is the practice of good standards.
The individual, or as described in the Bill, the data subject, will have the right to access to information held about him or her on payment of a specified fee. The data subject is entitled under the Bill to have the data held about him corrected or erased where the legal provisions safeguarding personal data have not been complied with. If correction or erasure is required the data subject is entitled to a refund of the fee paid for the disclosure of the information. Again, this gives the individual a right which is long overdue. I hope that the fee which will be set will be reasonable and will not prevent any individual from gaining access to the information held about him or her. The provision in this Bill will involve the owner of the data or the company in additional costs but I believe these costs will not be over-excessive. The costs will arise in two areas: (1) the provision of programmes to access and correct or erase the data; and (2) the overhead in providing a further service which up to now was not required.
The provision in section 6 (2) (b) of the Bill requires the owner of the data, where an irregularity has been discovered in personal data, to notify “...any person to whom the data were disclosed during the period of 12 months immediately before the giving or sending of the request, of the rectification, erasure or statement concerned”. Does the Minister think this section may cause difficulties or that it would be impractical? It is interesting to note that a similar provision was included in the draft legislation in the UK but was not included in the final legislation. That is not to say that we should follow to the letter of the law exactly as happens in Great Britain. Does the Minister think that the procedures in relation to following through on that section will be workable? The legislation could add some high additional costs and, as I said earlier,  those may be impracticable or unworkable. If these are found to be impracticable or unworkable this might cause damage to an absolutely tremendous Bill. This would be a tragedy because the Bill provides essential and fundamental rights for individuals. Companies will also be required to take appropriate security measures against unauthorised access to disclosure, alteration or disruption of data and against additional loss or destruction. While these provisions may appear to be serious at first glance, they are essential practices for any computer based system.
The Bill is vital also in the context of the Custom House Docks Financial Services Centre which will be of tremendous benefit to this country. As the Minister stated the object of the Bill is to enable Ireland to ratify the 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data. Its relevance to the Financial Services Centre lies in the fact that when the Council of Europe Convention is fully operational it will permit satisfying countries to refuse personal information to be transferred to other countries which do not have comparable data protection laws. It is imperative, therefore, that we enact this legislation from a Council of Europe point of view as well as from the point of view of the individual's rights.
The Bill provides for the appointment of a Data Protection Commissioner for a term of not less than five years. I understand the urgency for enacting this legislation but I believe this is only the beginning of the freedom of information. I ask the Minister to note that in the French system a Data Protection Commission were set up to help the commissioner. The Minister has agreed to review the legislation on an ongoing basis and perhaps he might consider at some time in the future the appointment of a commission because the amount of data that will be forthcoming in terms of the media, as against data processing, will be absolutely enormous.
I note that Senator Ferris asked a number of questions about registration.  I hope that the experience in the UK will not be repeated here. Registration in the UK has not worked too smoothly. All data users are required to register and I think that caused the problem there. This Bill requires that only certain categories of people have to register. This is the way to start and eventually this requirement can be extended to other data users down the line. This legislation will immediately benefit the major areas of operation and it will then filter down to other areas of operation. This should prevent the repetition here of what happened in England. The UK Act has been in operation for four years but registration has not been running smoothly there.
I congratulate the Minister on bringing forward this very positive and essential legislation. I look forward to its successful implementation and its eventual extension to cover full data protection and freedom of information.
Mr. Norris Mr. Norris
Mr. Norris: Like the other Senators who have spoken I also welcome this Bill. Its genesis is fairly ancient in European political terms. The Bill is not just one of domestic generation: there is a requirement under Article 4 of the Convention that, before a State can become party to this Convention, it must have taken the necessary measures in its domestic law to give effect to the basic principles for data protection set out in it. The genesis of this legislation in Europe goes back to the seventies and I have before me an OECD document dated Paris, 1 October 1980, with a lengthy preamble which recognises the necessity for this legislation and the benefits that flow from it. While I agree with most of the benefits that are stated in this preamble to flow from such legislation, I have one query with regard to the preamble which says very positively that trans-border flows of personal data contribute to economic and social development. That is one way of looking at it, but there are very clear dangers in the unrestricted trans-border flow of computerised data and information. I will return to this because I want to seek an undertaking from the  Minister that he has utilised to the maximum the capacity within the Convention for the derogation of sovereign states from certain of its provisions.
The principles which were laid down in the 1980 document are interesting and most of them have been fulfilled. Paragraph 7 of the document states that there should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. This addresses a point made by my distinguished colleague, Senator Brendan Ryan, when he asked the Minister — and I shall also add my voice to this request — to make hacking into information banks a criminal offence. I am very pleased to see the Minister nodding because this is most important. The Minister specified certain areas in which information relating to the financial status of individuals or the very personal, intimate, private, sexual conduct of individuals may or may not be legitimately held by organs of this State. It would be quite outrageous for there to be no penalty if this information could be invaded and exploited by computer amateurs.
Paragraph 8 of this document states that personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes should be accurate, complete and kept up-to-date. This is a very important principle and I would like an assurance from the Minister that he will go a little bit further in this legislation — and I have not noticed that he has — so that not only will this principle be implemented but also that information gathered, for example, by the security forces of the State, the Garda, the Army, the secret service or financial institutions information gathered, garnered in for one purpose shall not be reusable subsequently for other purposes.
I say this because of what happened in the course of investigating the murders of nurse Helen Gargan and of Charles Self. In particular with regard to the murder of Charles Self, there was a very extensive investigation during which a  wholesale fishing expedition was conducted by the Garda which had absolutely no relevance whatever to what ended up as a completely unsuccessful murder investigation. If this information was kept on computerised files and if this information was subject to free transborder flow, it could have very serious consequences for Irish citizens who subsequently sought employment under the free movement of labour in the European Community. For example, in Germany there have been considerable protests recently about the so-called Berufsverbot, whereby people who engaged in protests in certain areas of social reform and so on were placed on a categorised list and thereby excluded from employment by central state agencies. I would seek a clear and explicit understanding from the Minister that, under the terms of this Bill, information collected for one specific purpose shall not be used against the interests of the citizen for other purposes.
Paragraph 12 of this OECD document dated, 1 October, 1980 states under the heading “Openness Principle”:
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
There is then a section on the “Individual Participation Principle” most of which has been satisfactorily met by the provisions of a Bill which, in general principle, I am very glad to welcome. The Minister may be interested to learn what was being thought in 1980. I should not say to learn, that is very presumptuous of me; I assume that he probably knows already. However paragraph 13 reads:
An individual should have the right:
(a) To obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
 (b) To have communicated to him, data relating to him
(i) Within a reasonable time;
(ii) At a charge, if any, that is not excessive;
(iii) In a reasonable manner; and
(iv) In a form that is readily intelligible to him;
(c) To be given reasons if a request made under sub-paragrpahs (a) and (b) is denied, and to be able to challenge such denial; and
(d) To challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.
An Cathaoirleach An Cathaoirleach
An Cathaoirleach: Senator Norris would you give the source or reference of your quotation.
Mr. Norris Mr. Norris
Mr. Norris: It is a document entitled Recommendation of the Council of the Organisation for Economic Co-operation and Development Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.
I would like to move on now because what is being spoken about here is data protection. I am very glad that the Minister has not followed the early draft of the convention which spoke of files, because that was unnecessarily restrictive. However I do have to say that, when the Minister in his introductory remarks, referred to a lack of; public concern with regard to what I might call manually stored data, he is being just a little bit disingenuous because the Minisiter knows that there has been concern in this area for quite a considerable time. I recognise the difficulties but I do not think they are incapable of being overcome. I would remind the Minister that, as early as 1983, the Irish Council for Civil Liberties made this clear. I have before me a letter from a researcher who was commissioned to undertake research work on this matter on behalf of the Irish Council for Civil Liberties.
The second point the researcher makes  in her letter is that the provision of safeguards in respect of non-automated as well as in respect of automated personal data must be undertaken. Therefore, it will be seen that there was concern five years ago, concern that I believe was expressed perhaps not to the present Minister but to his predecessors. I know also, because this was an unusual area by virtue of the fact that, I will not say rival but two analogous Irish organisations, for once, were not at each other's throats and were able to co-operate in a joint committee. I speak of the Irish Council for Civil Liberties and of the Irish Association for Civil Liberties. I understand that both of those organisations made representations with regard to the protection of non-automated storage of personal data. I hope that perhaps the Minister's advisers will seek some further clarification and consultation with both these worthy organisations with regard to their feelings on this matter. It will be clear from any contact with them that there has indeed been considerable concern in this area.
When the Minister says that the protection of manually-held data is another day's work and that he is sure it will come in time but that he has no evidence of public concern in this regard and consequently it will have to get a lower priority, I hope that if nothing else, my speech here this morning will be evidence of public concren in this area. Perhaps the Minister will be able to move it up his scale of priorities and that his advisers will refresh their memories with regard to the publicly-expressed concern. I believe there has been concern because, of course, the computerisation of this kind of information is relatively recent phenomenon and merely exacerbates what has been an existing problem of a very sensitive nature. People are concerned that information should be stored, very often without their knowledge, about their personal lives in a way which may multiply and may have a damging effect on them.
I would like to quote very briefly the four principles that have been isolated by  the Council of Europe in their explanatory report on the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. They are quite short and say that safeguards include four main elements: knowledge about the existence of an automated data file; knowledge about the contents of the information, if any, stored about data subject in a file; rectification of erroneous or inappropriate information, and a remedy if any of the previous elements are not respected. The report was issued in Strasbourg on 28 January 1981 by the Council of Europe. These principles have been clearly outlined in a White Paper on data protection emanating from the British Home Office in April 1982 entitled Data Protection — The Government's Proposals for Legislation. I should like to deal with its substance which is very relevant to this Bill. It says, regarding general principles:
The general principles set out in the Younger Report ... were broadly endorsed by the LINDOP Commitee and have been embodied in the Data Protection Convention. The principles (following Articles 5, 7 and 8 of the Convention) are as follows:
(i) The information shall be obtained and processed fairly and lawfully...
Again, right at the top of the menu, comes this idea of access to information lawfully. I might draw the Minister's attention to this again. I am very glad that he nodded. I take it that means that there will be a Government amendment making hacking into this information a criminal offence. I certainly hope so. If not the Minister can rest assured that such an amendment will be put from these benches and I am sorry to have to say a vote called for. This is part of the duties of legislators. If I did not do it I am perfectly certain my colleague, Senator Brendan Ryan, would do it, because it is very important. Perhaps the Government will be prepared to graciously accept an amendment in this area. Obviously the Minister agrees in principle that this is an  important area in which people should be protected. There is no reason some bright student in one of our colleges of technology should be entitled to free access to the most intimate, embarrassing and perhaps potentialy damaging information about us as individuals. The citizens of this State have every right to be protected in this area. Subparagraph (ii) says: “It shall be held for a specified and legitimate purpose or purposes”. Again my previous comments apply; subparagraph (iii) says: it shall not be used or disclosed in a way incompatible with those purposes”; subparagraph (iv) says: “It shall be adequate, relevant and not excessive in relation to the specified purpose.”; and subparagraph (v) says: “It shall be accurate and, where necessary kept up to date.”
Subparagraph (vi) states that it shall be kept in name, length, form, no longer than is necessary for the specified purposes. Again, there are certain areas which it may very well be important for co-operation between the Minister for Health and the Minister for Justice. As the situation with regard to AIDS, for example, worsens, the gathering and storage of information about the spread of HIV infection may well be something necessary in preparation for certain prophylactic measures on behalf of the State, but this must not be name-linked. It is important with regard to this sensitive information, where people's employment may be threatened, that these kinds of protections should be entered.
Subparagraph (vii) states that the data subject shall have access to information held about him or her and entitled to its correction or erasure where the legal provision safeguarding personal data have not been complied with.
Subparagraph (viii) specifies that appropriate security measures must be taken against unauthorised access, alteration or dissemination, accidental loss and accidental or unauthorised destruction of data. There is quite an amount of emphasis here on areas that I believe are not directly covered as yet by the Bill although, as I say, it is a Bill to which I  have no difficulty whatever in giving a general welcome.
I believe — and I am glad to see that the Minister appears to agree with this in the legislation — that the legislation needs to apply to both the private and public sectors. I believe also it is important that we should have the maximum benefit of the derogations that I spoke of earlier on and perhaps it would be possible for the Minister to give some reassurance on that. I believe also that the public interest in the non-disclosure of sensitive information, such as that held by the Secret Service on individuals or details of a criminal investigation, can be realised by expressly dealing in the legislation with the extent of permissible limitations, as the Convention attempts to do Article 9.
I am genuinely seeking some information from the Minister with regard to the operations of the Bill. I note that in his speech he mentioned that section 11 deals, as I understand, with certain derogations from this chapter dealing with transborder data flows but I wonder if it goes as far as we are allowed, because article 12 (2) states that a Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authoritisation transborder flows of personal data going to the territory of another party. In paragraph (3) it goes on to say:
Nevertheless, each Party shall be entitled to derogate how the provisions of paragraph 2: (a) in so far as its legislation includes specific regulations for certain categories of personal data or automated personal data files, because the nature of those data or those files, except where the regulations of the other party provided equivalent protection and (b) when the transfer is made from its territory to the territory of a non-contracting State through the intermediary of the territory of another party in order to avoid such transfers resulting in circumvention of the legislation of the party referred to at the beginning of this paragraph.
 Reading that — and I may be reading it inaccurately — it seems that in this legislation we have not gone to the full limits of our capacity for derogation. Again, I may be reading it inaccurately, but section 11 seems to leave a very wide margin for discretion in the hands of the commissioner and this derogation is by no means automatic, as perhaps it should be.
I would like, in conclusion, to give a number of instances, because they put it into a kind of human framework, of the kinds of ways in which, not in this jurisdiction but in Great Britain, it has been found by the National Council for Civil Liberties that the holding of data files can operate to the disadvantage very clearly of the individual. I would like to instance just three brief cases from a book called Privacy: The Information Gatherers by Patricia Hewitt of the National Council for Civil Liberties, published first in 1977. The first instance is:
Mr. C, attempting to expand a small, but profitable business, suddenly found himself unable to get credit. He went to the offices of a local trade association specialising in credit reports and asked for a reference on his own firm.
This is clearly the area in which this legislation is dealing.
The manager pulled out a record card and said: “Don't deal with that bastard; he's a bad risk. People like him should be locked up.”
I apologise, a Cathaoirligh, for the unparliamentary language.
An Cathaoirleach An Cathaoirleach
An Cathaoirleach: Senator Norris, is that parliamentary language?
Mr. Norris Mr. Norris
Mr. Norris: I have apologised for it, but it is the recording of an outrage. I share your outrage that this comment should have been made and it illustrates extremely well the kind of situation that can occur
An Cathaoirleach An Cathaoirleach
An Cathaoirleach: It is not a question of outrage because the Senator has never  yet seen me outraged, but I cannot allow him to use that word in this Chamber.
Mr. Ferris Mr. Ferris
Mr. Ferris: Getting close to it.
Mr. Norris Mr. Norris
Mr. Norris: Then it can be withdrawn and covered by a discreet ellipsis which, no doubt, will be of such a nature that it will perhaps suggest an even more colourful epithet to those who read the Official Report. Unlike a late Member of the Seanad, Professor Maguinis, who believed that the people of Ireland were queuing up at the Stationery Office to buy the Official Report of the Seanad in order to read about The Tailor and Ansty and inflame themselves erotically with reports of cows being led to the bull and so on, I doubt very much if the plain people of Ireland are going to queue up to see what kind of unparliamentary language is being used, but I accept fully the Cathaoirleach's ruling.
An Cathaoirleach An Cathaoirleach
An Cathaoirleach: Whatever about the cows being led to the bull, would the Senator get back to the Data Protection Bill?
Mr. Norris Mr. Norris
Mr. Norris: I shall be very glad to do so. In any case, the person involved here ended up with the phrase “people like him should be locked up.” He was obviously unaware that he was addressing the subject of that report. Although the record stated that Mr. C. had been served with county court bad debt judgments over a period of three years, these judgments had been made against Mr. C's father, who had incurred them when he was ill and dying.
I may say, in an aside, that I had occasion to meet a distinguished member of the Irish peerage at a reception in the American Embassy on Saturday and he informed me that when he went to acquire his late father's death certificate he was actually presented with his own death certificate, which he unwisely corrected because, if he had not corrected it, he would have been exempt from income tax. If anybody is kind enough to present me with my death certificate you may take it for certain——
Mr. Ferris Mr. Ferris
 Mr. Ferris: If your pay was stopped, that would be worse.
Mr. Norris Mr. Norris
Mr. Norris: ——I will accept it and I am sure there are other Members of this House who would also accept it only too gladly. Mr. C's father had incurred these debts when he was ill, dying and incapable of handling his affairs. That is the most extraordinary situation. It is precisely what this Bill needs to deal with. It would be an abuse of the hospitality of the Chamber and the Minister's patience to read any further examples, so I will not do so.
However, with regard to the storage of this information, it can be equally damaging for the individual if it is held in manually operated systems, although I would have to accept that the damage is multiplied if this is fed into an automated system and it is infinitely more difficult to correct. Once it gets into the system it can circulate in a matter of seconds all over the world and can be notoriously difficult to correct. I would like to quote from an article in a report called Privacy and Social Control by John Shattuck in the Privacy Report Volume 3, Number 8, of March 1976, published by the American Civil Liberties Union. There are some really remarkable and appropriate phrases in it. I am glad to be able to say that it is quite short. It reads:
Power may come out of the barrel of a gun but far more power comes out of a computer or data bank, particularly if the information in it relates to people who do not know that it has been collected or cannot challenge its accuracy or use. The definition of privacy as a right to control information about oneself is, therefore, a good one. Widespread collection and use of personal information is, of course, an inevitable feature of our society. The social services we regard as essential, medical, legal, social welfare, educational, credit insurance, could only be performed when there is a full and honest disclosure by the person served  to those performing the service. Unfortunately the service providers often fail to consider the larger forces of social control whose unwitting instruments they become when they collect data from their clients. We must, therefore, constantly guard against the use of personal information as a means of exercising social control by establishing procedures to ensure that, to the maximum possible extent, people can disclose what they want about themselves only to those whom they want to tell.
I greatly welcome the possibility for inquiry into the personal files kept on people although only about 100 people used the facility in England when it was brought in. I would like the Minister to know that I would be one who would be seeking information.
Of course the Minister will be perfectly well aware that a number of years ago my telephone was tapped and it was quite impossible for me to get a statement on this matter. I consulted my legal adviser. Senator Mary Robinson, and she said there was no point in pursuing it because I would be met with this idea of the security of the State. I would not wish to be contentious or difficult but I may remark to the House that during a court case which I took, a very unpleasant line of inquiry was embarked upon. I knew my telephone was tapped and I telephoned the head of the Dutch Liberal Party and asked them to please send an observer over. They did so and that line of inquiry was dropped.
I am, of course, aware of the logical fallacy post hocergo propter hoc and I would not dream of suggesting that because I made a little ministerial broadcast on my leaky telephone that this occurred but one is entitled in the privacy of one's mind to certain suspicions, however unworthy they are. As a person who has always led the most upright, morally blameless, reproachless life that would not bring a blush to the face of an Anglican nun, I will be fascinated to discover what can possibly be recorded in files, computerised, manual or any other  kind, that may be held on me because of course I have, as the Minister will be aware, a very considerable interest in fiction.
An Cathaoirleach An Cathaoirleach
An Cathaoirleach: Thank you, Senator Norris, you are so humble.
Minister for Justice (Mr. Collins) Gerard Collins
Minister for Justice (Mr. Collins): I want to thank the Members of the Seanad for their generous and warm welcome to this legislation and I very much appreciate the positive contributions made by the Members who spoke, perhaps some contributions were not as colourful as others but then that would be difficult to expect.
I thank Senator Pat Kennedy who was the first contributor for his thoughtful and comprehensive contribution. He rightly stressed the importance of ratifying the Convention and ensuring that this country is not placed at a disadvantage in the international competition for data processing. We propose to ratify the Convention at the earliest possible date and, as the Convention comes into force three months after the deposit of the instruments of ratification, the intention is to deposit these instruments three months before the Act is brought into full operation. It will take six to nine months to bring that about to give time for data controllers to adapt their systems to the requirements of the Act and to appoint the commissioner to make the regulations governing the requirements of registration of those controllers who have to register.
I thank the spokesman for the Government party group in the House, Senator McEllistrim, for his very thoughtful and helpful speech. I note he also stressed the need for early ratification of the Bill so that its benefits, the protection and privacy of individuals and improving the competitive position of this country in securing data processing contracts can be availed of. I assure Senator McEllistrim we will get our data protection system off the ground as soon as we possibly can.
Senator Ferris also welcomed the Bill and I thank him for this welcome. I note  that in his speech he emphasised the wide support the Bill has in the House, as it had indeed in the Dáil. Senator Ferris asked how a person could establish the existence of personal data when everyone with such data is not required to register. It is true that this Bill is based on partial registrations so as to avoid having a bureaucratic and onerous system. Under section 3, any individual who believes that a person keeps personal data has the right to ask that person whether he keeps such data and, if he does, the purposes for which they are kept.
There is also a right to be supplied with a description of the data because, under section 4, an individual has a right (a) to be informed by the data controller whether the data kept include personal data relating to him and (b) the right to be supplied with a copy. These two rights enable an individual to establish the existence of personal data relating to him or her and to have access to the data. I expect that every data controller will set out in a brief document the purposes for which he holds the data and also a description of the data. If he gets an inquiry under section 3, all he has to do is to put a copy of the document into the envelope and send it to the inquirer.
Senator Eogan asked about the definition of data controller. He asked if it applied to individuals as distinct from companies. It applies to individuals and companies because “person” in statutes includes companies by reason of the general provision in the Interpretation Act, 1937. I am glad the Senator gave me the opportunity of explaining this. He also asked if every medical consultant who has computerised health data is a data controller and if so, whether he has to register. The answer to that is he will be a data controller if he controls the contents and use of the data as, presumably, most private consultants would. All data controllers with health data have to register. The fee to be charged for registration will be fixed by regulation and we have not yet come to any decision on the basis to be used for the charging of fees. We will bear in mind what Senator Eogan said on behalf of consultants and  others in a similar position when the regulations are made.
Senator Brendan Ryan suggested that opinions can be misleading or incorrect as factual matters and that, therefore, incorrect or misleading opinions should equally be liable to be corrected or erased. There are two arguments against this. First — a technical reason perhaps — opinions are regarded as being personal data relating to the persons who express them rather than to the subject of the opinion. Secondly, apart from that, it would be impossible to say in most cases whether an opinion is correct. We all have our opinions.
Senator Brendan Ryan also asked about section 8 (a) which allows a data controller to disclose personal data if he is asked to do so in the interests of safeguarding the security of the State. The personal data concerned might have nothing to do with security matters but, nevertheless, could have implications for national security. An example of this would be where an employee of a firm engaged on a Government defence contract was suspected of leaking sensitive information to subversive groups or perhaps he was employed by a firm making or using explosives and was suspected of transferring them to these groups. The Garda would go to that firm and seek information about him. In so far as the information sought was held on the firms's computer it could not ordinarily be disclosed to the Garda because disclosures to them would not be compatible with the purposes for which the information was kept, personal or payroll information and so on.
Paragraph (a) overrides these restrictions on disclosure and enables the controller to co-operate with the Garda if he wishes to do so but he is not compelled to do so. How would a firm be satisfied that they could safely disclose personal data under this provision? I believe that if they had any doubt about whether the information was required for the purpose of safeguarding the security of the State they would ask the chief superintendent or Army officer, as the case might be, personally to state his opinion that the  information was required for that purpose. If the matter was urgent — possibly involving a risk to life or property — and the chief superintendent was not present to make a request for information the firm could contact the chief superintendent by telephone for reassurance. If time allowed the chief superintendent could give a certificate about the purpose fo which the information was required.
In any subsequent proceedings that might be taken against the data controller for having disclosed the data that certificate, or a similar certificate prepared subsequently, would be evidence of the chief superintendent's or the Army officer's opinion. This is the effect of section 26 (1) (b). That certificate would be enough to absolve the data controller from any civil liability even if it were possible for any aggrieved party to prove that the chief superintendent could not reasonably have been or was not of that opinion, unless it is clear that the data controller knew all along that that was the case.
Section 8 (b) sets out the case in which a data controller is permitted to disclose personal data even though the disclosure is not named as such in the registered entry where the controller is registered or where the data controller is not required to register. The disclosure would not be compatible with the purposes for which the data are kept. It allows personal data to be disclosed where the disclosure is required for purposes of crime prevention, revenue assessment or collection and so on. However, such a disclosure is permitted only where non-disclosure would be likely to prejudice any of those purposes. An example would be where the Garda get a tip-off that a man's life has been threatened and that an attack against him is being planned. They might approach the individual's employer to ascertain his address for the purposes of alerting him. If that information is held on a computer it would be difficult to justify withholding it either because the data controller has not registered the Garda's disclosures or where the employer is not required to register because such disclosure would not be  compatible with the purposes for which the data is kept. Here again it is up to the data controller to disclose the information or otherwise.
Senator Ryan asked about section 5 (1) (b). Paragraph (b) extends the exemption from the right of access where the personal data referred to in subsection (1) (a), that is, crime or revenue data, are passed to a third party who needs them for the discharge for a statutory function. For example, the Revenue Commissioners may pass such data to the Ombudsman to enable him to investigate a complaint. The Ombudsman has power to compel the production of documents so departments would have no option but to disclose the data. Once the data are in his possession, strictly speaking, they would not so far as the Ombudsman is concerned, be held for the purpose of assessing or collecting tax so that without the extension of the exemption the subject could gain access to the data. The same would apply to data held by the police and passed on to the Garda Complaints Board in the course of investigating a complaint about Garda conduct.
As regards, the maintenance of good order and discipline in prisons, section 5 (1) (c) restricts the subject access provisions in any case to which the application of those provisions would be likely to prejudice the security of or the maintenance of good order and discipline in prisons or other places of detention such as military barracks. The decision on this would be taken by the Governor of the prison subject to review by the data commissioner and of course by an appeal to the Circuit Court.
Senator Ryan also asked about section 8 (c). Section 8 lists those cases where the restrictions in the Bill on data controllers disclosing personal data to third parties will not apply, for example where the garda need information for security purposes for the prevention of crime or where disclosure is urgently needed to prevent injury to someone and so on. Because the protection of the international relations of the State is equally  important as State security it is right and logical that a data controller should also be free, if he so wishes, to disclose information to the proper authority. This is the effect of section 8 (c).
Senator McKenna referred to the question of credit worthiness. I endorse what has been said by him and also by Senator Ryan. It is because of the concern expressed by them that credit reference agencies and financial institutions are required to register. It will be for the commissioner to decide what information will be required to be included in the register entry but he has power to require that persons who have to register must also disclose the sources of the information they have on their computers.
Senator McKenna expressed the hope that the fee to be prescribed for access would be reasonable. The Bill does not require any fee to be charged and I hope that many data controllers will not charge a fee especially where the information can be provided quickly. In fact data controllers may find it an advantage to send date to data subjects periodically in so far as it would help to keep the data accurate and up to date. In any case, if the cost of supplying the information is less than the prescribed fee the lower figure will apply.
Having said that, I agree with Senator McKenna that the fee should be reasonable and I will undertake to prescribe a reasonable sum. Senator McKenna asked if section 6 (2) was essential, if it would prove to be impractical or impose an undue burden on data controllers. Section 6 (2) requires a data controller who has made a correction or an erasure, at the request of the data subject, to notify everyone to whom he has disclosed the data during the preceding 12 months. This provision cannot be brought into operation until data controllers have adjusted their system so that a record is made of each disclosure. This is called logging. Subject to that I do not think it unreasonable that controllers should notify these corrections or erasures to people who have been given incorrect information and who may be making decisions, say, on credit worthiness on  them. Several continental legislations have such a provision. However, there will be consultations with the public and the private sector before this provision is brought into force.
Senator Norris advocates making hacking per se an offence under the Bill. I have to repeat that this would not be appropriate in this Bill which deals only with data protection — the protection of privacy of individuals — whereas hacking can affect a far wider area, fraud, larceny and so on and reaches into the general area of criminal law. Making hacking an offence under the general law has been the subject of detailed consideration in a number of countries but no country has made it the subject of a provision of data protection legislation.
The provision in this Bill as regards unauthorised accessing of computer data goes further than any other European legislation or proposed legislation on data protection. It is generally accepted that this type of legislation is not the appropriate vehicle for legislating on hacking. Even in those jurisdictions where hacking has been legislated for, there is a divergence of opinion as to whether hacking per se should be an offence or whether it should have to be accompanied by a subsequent disclosure to constitute an offence.
There are several problems about making hacking per se an offence. Hacking is not a legal term but rather a colourful Americanism. There are great difficulties in establishing exactly when hacking takes place. Hacking in one view might actually be advantageous since it encourages improvements in data and computer security to be made. I have answered as best I could the points raised by the Members of the Seanad, points which I very much appreciate because they contribute to a thorough processing of the legislative measures which are before us for consideration.
Question put and agreed to.
An Cathaoirleach An Cathaoirleach
An Cathaoirleach: Will the Leader of the House indicate when it is proposed to take Committee Stage?
Mr. W. Ryan Mr. W. Ryan
 Mr. W. Ryan: We will adjourn for one hour and resume on Committee Stage of this Bill.
Sitting suspended at 1.20 p.m. and resumed at 2.20 p.m.
Seanad Éireann 120 Data Protection Bill, 1987: Second Stage.