Creditinfo, Ireland is delighted to be in a position to share and transfer some of our
knowledge and evaluations from our operations around the world with regard to the “Data
Sharing and Governance Bill: Policy Proposal”
One of our specific areas of expertise is in Data Analytics, and direct experience in
supporting companies reduce exposure to credit risk and fraud. This has included large data
sharing programs dealing predominantly with credit risk reduction, payment behaviours and
prevention of fraud.
Many of our projects, focus on reviewing all data sources, primarily to review the
effectiveness and accuracy of the data and also to initialise a “one view” program for the
data to enhance fabrication process and to maximise the use of data.
These comprehensive reviews often result in findings that include gaps on data privacy
issues particularly around consent, purpose and retention, additionally we expose other
areas such as cost management on data, data processing and data wastage.
We also hold significant expertise in public policy-making and an understanding of the
unique position of public sector organizations which are ultimately politically accountable and
therefore differ from business which is focused mainly on profit-maximization. Data Privacy
and Anti Money laundering regulation is also a forte of the organization where policy creation
for private sector organizations is managed to the finest detail.
Creditinfo operates in 15 countries and in each of the countries in which we operate, we
have dealt with different rules and regulations, different cultures and mentalities, different
data structures and data quality, different IT infrastructures and different data protection
laws. We have handled each of these in an expert manner that is evidenced by the ongoing success of each operation today and the willingness of multilateral agencies like the
World Bank and the IFC .
.
Page 1 of 7
Consultation Questions and Responses
1. Do you agree with the definition of data sharing?
2. If you do not agree, how do you believe the definition could be improved?
The definition of data-sharing is quiet simplified, however there are some items that are
silent. In particular where the sending body agrees to provide the data, whilst under
legislation there is specific laws that exclude the need for consent from a data subject or
withholding of data under a subject access request, however does the Government
department really have permission to share data from let’s say the Department of Health to
the Department of Justice and Equality. What would be the purpose of this data share, is
there a specific purpose?
Access to a data subjects information for most of the time should be freely given by the data
subject unless under specific legislation to which there is no requirement for consent.
We have seen this more recently where on the;
“18 July 2014, the Minister for Justice and Equality, Frances Fitzgerald, signed in regulations
337 and 338 of 2014, which were brought into force on 18 August 2014 .These were
previously inactive provisions of the Data Protection Act 1988 (DPA). Section 4(13) of the
DPA which makes forced subject access requests a criminal offence. “
Data Sharing is based on transparency who has access to a subject’s data and what are
they going to do with it. The purpose must be clearly defined and consent should be sought.
Utilising a service that can manage consent into a digital environment, using technology that
allows the data controller, data processor and data subject achieve this threshold of
confidence leading to the unambiguous consent of the Data Subject or Citizen of Ireland and
the educational process to the benefits of data sharing to the data subject between
departments
3. What do you believe are the priority areas for data-sharing to contribute to improved
public service
Over the last 20 years we have seen a significant increase in the request for data sharing
programs. Whilst data sharing as explained in the Data Sharing and Governance Bill
highlights the benefits for service users, data–sharing in itself far surpasses this expectation.
Not only can it provide the “ask once, use-many” vision it will also support in a get it right
first time process so limiting the need for intervention further down the line.
Getting it right first time is a unique program the uses various functions and logic to validate
data automatically, similar to what would be used in our Fraud platform. It does require the
setting of particular questions that are mandatory in any manual or digital document. Simply
asking the right question, in the right way at the very beginning of the data collection period
can reduce errors and omission at a later stage. It can also mean that the Unique ID’s can
be validated continuously to the end of the data retention period and can be purged
systematically in a recorded structure.
Page 2 of 7
It is a well-known issue that the retention of expired ,out of date ,incomplete or inaccurate
records significantly increases costs year or year to a public body, these costs can be
financial and fiduciary exposing the department or organisation to potential substantive data
privacy breaches and negative brand reputation
Effective data-sharing starts with the first initial key stroke of a new unique id and in terms of
common language this would be an Irish Citizens PPS number, or a Company’s
Registration/Business Number.
The process of bringing data together to a single point of view enhances the KPI’s of an
organisation delivers on superior customer experience, significantly reduces error within
data so reducing cost associated with storing and managing the data.
4. Do you agree that more effective data-sharing can help drive public service reform?
Data-sharing should be a keen focus of the Government, using data effectively will drive
public service reform. Data-sharing needs to be strategically planned yet given the flexibility
to change in short time frames.
Accurate data is highly beneficial in a sharing platform and the importance of a continuous
data flow is necessary to the management of public expenditure. A simple statement is if you
have the data already, why you would pay to access information that you can seek at no
cost.
Data –sharing will enhance the various Government Department data and analytic
capabilities and to which will have significant value to add to the Irish Public Service as a
whole. This will pave the way to step by step changes in an approach to evidence-based
policy-making
5. Where are the are the main areas where you believe this can be achieved
Data Controllers such as the Revenue Commissioners, Department of Social Protection,
Department of Jobs, Enterprise and Innovation (Company Registration Office), Department
of Finance and the Department of Communications, Marine and Natural Resources,
Department of Agriculture, Department of Justice (AMLCU) have a wealth of data that can
be utilised to create a single view in relation to let’s say Fraud Activities and the validation of
commercial entities that are trading inappropriately or outside the guidance of the
Companies Acts or AML regulation ,this in itself will be vitality important with the forthcoming
Companies Act 2012 and AML 4.
Whilst focusing on business data in particular payment data can be shared where there is no
need for consent and where there are no concerns in relation to data privacy breaches, the
private sector has been sharing trade payment data for many years.
This provides a clear view of the payment trends of different organisations and can provide
insight into a business ability to meet its obligations. It can also be used for the purpose of
managing fraud or statistical evaluations of specific sectors so enabling the likes of the CSO
and the Open Data Initiative. Payment data provides an unbiased overview of a company’s
financial position. It can also be supportive to Revenue in relation to a predictive approach
when dealing with potential liquidations and insolvency.
Additionally there is a serious situation which is currently not for consideration within the
Companies Act 2012 and will continue to cause financial concerns to Public bodies. The
common name for this issue is “Phoenix Companies”, Companies that close their doors and
then setup under a new name defaulting on all creditors.
Page 3 of 7
Data-sharing can provide insight on business and directors in particular those who have
negated their fiduciary duties. Data-sharing in this instance could allow a monitoring program
that can assist the Public Body in identifying and tracing those directors who have negated
their legal duties and allowing action to be placed instead of the inability to act.
6. Do you share the assessment that a new legislative framework for data sharing is
required? Please give reasons for your answer
Yes, we would agree that a new legislative framework for data sharing is required. There is a
requirement to provide transparency of who has access to what data.
Data sharing requires clear and direct guidelines in particular to data privacy. Looking at the
simplified European Framework on Interoperability, there is a need to prove that there is a
legal basis for sharing data. Simply put we go back to what is the purpose of sharing the
data. Data sharing requires purpose, we cannot share information just because we want to
or can. The data type requires content evaluation such as what is contained in the data set,
what relevance would that data have to other data sets, what are the benefits to the data
subject and controller if the data was shared or other data sources are utilised to improve the
quality and the enhancement of the information.
7. In terms of the interoperability framework set out above, what do you see as the main
obstacles to data-sharing, and how should they be address.
If we were to look at organisational obstacles, data is used everywhere .If one organisation
can see not tangible benefit to the sharing of data with another who requires the data .A
simple point based system could be initialised to incentive the organisation or department
who are reticent to share the data, provided that the sharing does not breach any law or act.
A trusted 3rd party data operator or central hub can operate such a point system. The
incentive could be one of “creating the greater good” increased budget or make it conditional
on their departments performance reports and reviews.
Semantics- there should be one specific identifier used in data .PPS for the individual,
Business Number/CRO Number for commercial and Folio/Land registry for Households and
Property. If we were to look back at some of our previous comments, being specific about
what data is captured initially is have the battle to mismatch and data organisation. A
retrospective review can be championed and as departments share data to the central
repository the data can be deciphered and cleaned to reflect the actual requirements to
clean data. Is this a significant piece of work, yes will the benefits in the long-term outweigh
the work absolutely.
Technical, know how or how to use the data, why would you use the data, what the data is
used for. Again going back to purpose you will only acquire data that you require or that will
benefit the department or the data subject. Looking to the 3rd party data operator or central
hub the requirements of that department will be investigated and actualised. The 3rd party
data operator will ensure the security of the data and examine the purpose’s (needs) of the
department who will be the receiver of the data. The 3rd party data operator manages the
training, implementation, report build and the access to the data that department has
requested .A request process and reporting need/statement of works is provided and utilised
at this stage.
Page 4 of 7
8. Do you have suggestions for how best to embed these data protection principles in
the Data-Sharing and Governance Bill?
Purpose requests for access to the central data portal. There should be a legitimate purpose
for the request of access to certain data elements.
E.g. “AMLCU received a SAR and want’s to investigate the current financial position of a
data subject who is under investigation. They require access to open a case and investigate
data from DSP and Revenue. The purpose is to review the financial position of the data
subject, does the data subject receive a social welfare payment, does the data subject make
personal contributions the revenue or are the PAYE. This is a legitimate purpose and has
provision for investigation and data sharing.
9. Do you have any ideas or proposals to ensure that consideration of these proposals
benefit form wide public consideration, analysis and debate?
Create an open public forum, invite in various private and public sector subject matter
experts and in such start the process of creating a workshop to explore further. Share with
the public in general the benefits of data-sharing, the intention to reduce the length of time it
takes to process applications. Social Media is a clear conduit to which the Government can
engage with their people. Consideration for formats such as Ted Talks Twitter, Polling and
social conversation should be looked at.
10. How far can the Bill go in providing the necessary powers to share data while at the
same time ensuring clarity around what exactly is permitted?
Purpose statements, position a review of all data currently in circulation within the
departments. Line item each data element and explore the needs of the public and each
department. Permission Levels within each department and right of access of each
department is subject to request and approval. Where department are dealing with highly
sensitive data or data that is subject to critical scrutiny extra stringent safeguards should be
included.
11. Should both personal and sensitive personal data (within the means of the Data
Protection Act) be covered by these provisions? If so, what extra protections are
required around sensitive personal data?
Only information that is deemed necessary to the data controller would be included. Let’s
say for example your religion, or the fact that you are on medication for a disease that
could create any form of prejudice should not be used for consideration in a DSP
application for unemployment benefit or any other department to where the information is
not deemed as necessary to the purpose .We need to be mindful of mistakes made in
the past- the use of sensitive personal data in the Holocaust. Again what is the purpose
of sharing highly sensitive data? If there is a purpose it needs to be clearly defined and
permissions on sharing this data is to be sought directly from the data subject.
12. Should the Oireachtas have a role in overseeing or approving some types of data
sharing arrangements? If so, how extensive should this role be
Page 5 of 7
The President should have a role in overseeing some items applicable to the constitution.
Article 26 chapter 2.1- reference of bills to the Supreme Court
Counsel of state- Where a bill is or are repugnant to the constitution such as Article 40.3 (2)
13. What other specific data-sharing arrangements should be considered?
We believe that we have already covered this aspect.
14. Should a general provision be added to enable widespread access to information on
Births, Marriages and Civil Partnerships?
Yes this would be beneficial. Should we not also include Deaths, simple ability to remove
citizens for communications and ensuring that family members are not distressed when their
deceased family member receives communication in error from a department?
15. Some jurisdictions are examining the concept of an “honest broker” or a trusted third
party”- this would have the power to accept any data and process it on behalf of
public bodies, while preventing the public body for accessing the raw data. Is this a
concept that could usefully be included in the Bill?
We have alluded many times above that this would be a prudent way of managing data, it
would also prove to be more cost effective and can streamline the management of the data.
This trusteed 3rd party data operator can facilitate the data requirements, manage the
regulatory responsibility and keep safe and secure information relating to businesses and
natural persons (data subjects). In Iceland all Government controlled Public Registers are
required to feed their data into a central credit bureau. This Central Bureau is operated by
Creditinfo in Iceland. Citizens are referred to the central bureau to obtain, maintain and
administer the veracity of their data.
16. Should specific provisions relating to the sharing of “anonymised” data be included
Anonymised data should be provided for and it must be clear that no elements of data could
be brought together to identify the data subject or remove the anonymity. Specific and clear
guidelines must be created around this specifically. An example of issues on anonymity is if
there was the use of the proposed postcodes as an identifier for the data without other data,
a data subject could be identified.
17. Do you agree that “ The problem (of data governance) is therefore primarily one of
better implementation, rather than an absence of legislation
Yes, we agree that the primary problem with data governance is the lack of
implementation or the lack of understanding the obligations. It should be proposed that a
Data Privacy Officer (Data Governor) is retained into each Department and that this
officers make independent evaluations on the implementation and the management of
Data Privacy Obligations and Data Management alongside ensuring that all relevant staff
are trained on the simple principles of Data Privacy Regulations. Ireland has sound data
privacy principles but there is an educational requirement for some Data Controllers,
Data Processors and the Data Subjects themselves.
Page 6 of 7
18. Should the Data Protection Commissioner have a role in monitoring and reporting on
compliance with these governance provisions?
Yes, and we would go so far to say that the Data Privacy Officers should have a dotted
line into her department and this should be considered within the Bill. They are required
to share their implementation, and process program to the DPC for her agreement and
regulation.
19. In what circumstances should a Department be able to “opt out” of the transparency
requirement for a particular data-sharing arrangement?
In the matter of suspected criminal activity, it would not be prudent nor safe that this
arrangement be made transparent. Additionally highly sensitive data should be protected
at all costs and this would include the allowance of “opt-ou”.
20. Is it practicable for these arrangement to apply to all existing data –sharing
arrangement, not just the new ones?
Yes, it would be practicable and correct in applying the above arrangements to all data
sharing programs new and old.
21. Is the base register concept a useful one?
Yes provided that the data request and parameters seek similar information. To make a
base register or Master Data Universe work there needs to be similar footprints or
application process requirements.
22. What other base registers could usefully be defined.
We have consider this question and we believe that additional registries such as a robust
Judgment Registry should be considered.
The Vehicle Registration database should be made available to the public additionally it
should be the shared with the Department of Justice for the prevention of fraud and money
laundering.
Page 7 of 7