Everything’s changed… changed utterly..
The horsetrading about the formation of the next Irish Government is nearing a narrative crescendo, so we will expect to see some resolution to the question of who will be running the country for the next few years in the next few weeks. However, in the background of all of this there is the perennial uncertainty that arises among the people who take care of the day to day business of running the country, the Civil Service, about what the organisation structure will be once the new Government is formed. Inevitably, the negotiation of a “big G” government has practical implications for “small g” governance. In the past, this has most visibly manifested itself in the redesign and rebranding of departments (at some expense to the exchequer and a significant degree of waste in headed paper and other printed materials) and an inevitable confusion about who the contact person or decision maker is in respect of a “thing” now that that “thing” has moved elsewhere but the people who were working on it might not. (Don’t get me started on the impact on institutional knowledge and consistency of decision making…)
This time it is different. This time there are some potentially significant “small g” governance issues that may arise in the context of data protection and the systems of governance, organisational controls, and technical controls that have been implemented (or are in the progress of being implemented or improved) by government departments and associated public sector/public service entities.
Data Sharing Agreements / Joint Controller Agreements
When I was in the phone company an eternity ago, I dealt with a number of changes of owners and changes of CEOs. The organisation structure changed frequently, but the core processes and data persisted and remained largely the unchanged. We still had to sell things, send out bills, and serve customers. For public sector organisations, this is also true. The sharing of data between public bodies however to execute their functions is, however, different to the sharing of data between the sales department and the marketing department in a single legal entity like a phone company. There are a myriad of data sharing agreements in place between government departments and other government departments and with agencies acting under the aegis of a government department. In any reshuffling of portfolios and reconstitution of ministerial functions under the Ministers and Secretaries Act 1924 the “corporation sole” that enters into the data sharing agreement is the Minister for that Department of State.
So, what happens when the Ministry is moved, merged, broken up, or dissolved?
Well, unless the data sharing ceases, the data sharing agreements between departments will need to be updated to reflect the new structures and the new lines of accountability and responsibility. In the case of a function being split out from a department where previously the sharing was entirely internal so that part of a function once in Dept A is now in Dept B, a data sharing agreement will need to be put in place.
And in doing all of that, it’s worth bearing in mind that cases such as the Fashion ID case have implications for the relationships between Data Controllers that need to be considered, particularly in the context of potential Joint Controller relationships. It’s important to bear in mind that these relationships aren’t a matter of preference, posture, or contract but are informed by the factual nature of the processing and the level of decision making and control that is in place in respect of any shared processing activity.
Bear in mind that the “essence” of any joint controller agreement will need to be published (ideally as part of your Data Protection Notice)
[Update – 26/09/2023] – Another wrinkle is when it comes to Data Sharing Agreements under the Data Sharing and Governance Act 2019 that have been entered into by a Department that is having its functions split, moved, or transferred. These will need to be updated too! [/update]
Registers of Processing Activities and Data Protection Notices
These will need to be reviewed and updated. Functions that are moving out of a Department will need to be identified and removed from the ROPA once the function has moved. But this will need to be reciprocated by an updating of the ROPA in the new home for that processing activity or function so that that ROPA accurately reflects the processing activities of that Department.
With this will also come a need to update Privacy Notices and any other communication of processing purposes and activities to reflect the processing activities of the Department.
Data Protection Officers
Spare a thought for the DPOs. Many of them will just be finding their feet, particularly in departments or bodies where there has been a high turnover of DPOs in recent months. If Departments merge, who will be retained as the DPO? Will there be a transition plan to align data protection governance structures, policies, procedures, training, and tools? If a Department is split, how will the period between the twinkle in the eye of the negotiators of the Programme for Government and the appointment of a DPO to the new Department be managed? This is not an administrative question. This is a very significant issue of corporate governance and compliance with EU law that needs to be given careful consideration.
As I’m sure there are initial scoping discussions happening about the potential movement of and restructuring of departments and public bodies acting under the aegis of departments going on at different levels, I would hope that Secretaries General and their senior management teams are engaging the Data Protection Officers in these strategic scoping discussions that may relate to the processing of personal data of the members of the public who interact with those bodies and, lest we forget, the staff employed in those organisations.
For example: if there is to be a movement of staff from Dept A to Dept B, what consideration has been given to managing the data protection issues and risks arising from the transfer of their data, and what consideration has been given to the archiving and preservation of emails or other departmental records associated with those staff before they move?
A further consideration needs to be the implication for the preservation of the independence of DPOs in Departments as a reorganisation and reshuffle is a convenient time to move a DPO who is perceived as “problematic” aside, particularly if there is a merger of departmental portfolios.
Data Subject Rights
The GDPR doesn’t include a “Moving the Chess Pieces” exemption from complying with Data Subject Rights requests. What plans are in place for landing and closing out Subject Access Requests and other active data subject rights requests in the event that departments are being folded into other departments or functions are being spun out into new entities? While it may be a small issue in the grand scheme of things, the effective and consistent management of cases is an important function that gives effect to the fundamental rights of individuals under data protection law. Also, I would be sceptical if the DPC or CJEU would accept “pressures of reorganisation” as a basis for claiming requests were manifestly excessive.
Also under this heading, we need to consider issues of access to information if historic records for the functions of a new Department are held in the IT systems of another Department.
The downside of “capture once, use everywhere”
The data management downside of a “capture once, use everywhere” approach to data management is that that assumes stability in the functions and processes and in the “big G” governance for that data. If the universe changes, the “small g” governance controls will need to be updated in a timely manner, and the impact on the day to day operation of data protection related processes needs to be minimised as part of a planned approach to change.
The hidden opportunity..
The regulatory environment that government operates in today is significantly changed from the environment that was in place the last time there was any large scale restructuring of government departments. There is, however, a hidden opportunity here. Much of the challenge for DPOs in Government Departments and agencies acting under the aegis of government Departments is how to ensure the independence of the DPO within the reporting hierarchy of the department. An associated challenge is developing “data protection” as a professional competence in the public sector, when the general policy is towards “generalists” in public sector functions.
Personally, I find this baffling in a role that can be as complex as a DPO function and I’ve seen a number of excellent public sector DPOs over the last few years being moved into different roles that were less suited to their skillsets and temperament simply because there was no career path for them as a DPO. Equally, I’ve seen small agencies struggle to recruit and appoint appropriately skilled DPOs. There is an argument to be made (and I’ve made it in the past) for the creation of a “Department for Data Protection” to be the independent DPO function across the Public Sector. This would allow for the creation of specialist career paths and would provide a further buffer between the Data Protection Commission as a Regulator and the Government as both a regulated entity and the paymaster for the Regulator.
Ireland was the first country in Europe to appoint a Junior Minister of State with specific responsibility for Data Protection back in 2014. This role was subsequently downgraded in prestige by being loaded in with multiple other porfolios. Perhaps it’s time for Ireland to show some additional leadership on Data Protection Governance in the Public Sector as part of minimising the disruption to departments if there is a period of musical chairs for DPOs.