knowledge | 5 August 2021 |
Sharing is Caring (Subject to Strict Conditions): Commencement of the Data Sharing and Governance Act 2019 and its Impact on Data Sharing Between Public Bodies
On 7 July 2021, provisions of the Data Sharing and Governance Act 2019 (the ‘DSGA’) carrying implications for the way in which public bodies may exchange data were commenced.
The DSGA is intended, among other things, to reduce the burden on individuals who wish to receive public services from having to provide the same information to different public bodies and to facilitate the effective administration of public services. However, it caused ripples when it was enacted in March 2019 as it creates strict requirements for the exchange of data between public bodies in specific circumstances and creates a layer of oversight of this data sharing in the form of the Data Governance Board. Many of the more onerous provisions were not brought into for upon its enactment, however, following the commencement order on 7 July they are now very much alive and kicking.
For public sector bodies, the key areas that have been commenced are:
- Section 13, which creates requirements for data sharing between public bodies subject to certain exceptions. It provides a legislative basis for sharing data where there is no other legislative provision that specifically permits it. However this basis is subject to conditions including that the data is disclosed in connection with the performance of a function, for one or more of a limited range of purposes and that the sharing takes place under a data sharing agreement.
- Part 4 on Data Sharing Agreements, which set out detailed provisions that must be included in a ‘data sharing agreement’, including that one of the parties must be designated as a ‘lead agency’ and perform responsibilities set out in section 21.
- Part 7 on base registries, which are databases designated under an order pursuant to section 37 of the Act. Part 7 contains responsibilities on and powers for public bodies who are the owners of these base registries.
- Part 8 on the personal data access portal, which is to be a website that will, among other things, enable data subjects to exercise their right of access in relation to personal data relating to them held by a public body and to see details of personal data breaches affecting them involving public bodies.
- Part 9 on data governance, which includes:
- the establishment of the Data Governance Board. which will have certain advisory and oversight functions in relation to activities within the scope of the DSGA 2019, including reviewing proposed ‘data sharing agreements’ prepared by public bodies to cover data sharing arrangements between them; and
- the procedure for the adoption of a data sharing agreement, which must include the publication of the agreement in draft form, along with any data protection impact assessment that has been carried out in relation to the data sharing arrangement in question and certain other information, to facilitate review and comments by members of the public (in addition to the submission of the draft agreement to the Data Governance Board for review).
While the data sharing arrangements may positively benefit individuals receiving personal services from public bodies, the commencement of these provisions creates additional requirements and restrictions for public bodies that transfer data and marks a new horizon for data sharing in the public sector. Public bodies will need to review their data sharing arrangements to ensure that they comply with the requirements of the DGSA, where applicable, now that it has largely been brought into force.
Also contributed by Aoife Mac Ardle.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.