Data Sharing and Governance Act 2019

44

Establishment of personal data access portal

44. (1) The Minister may, with the approval of the Government, establish an information system for the purpose of enabling a data subject to—

(a) exercise his or her rights under the General Data Protection Regulation, and

(b) view information in relation to the personal data breaches, if any—

(i) which affect his or her personal data, and

(ii) in respect of which a notification has been made for the purposes of Article 34(1) of the General Data Protection Regulation.

(2) The information system referred to in subsection (1) shall incorporate a website (to be known as the “Personal Data Access Portal”) which may include facilities by means of which a data subject may—

(a) view personal data relating to him or her held by a public body, together with the information relating to that personal data referred to in Article 15 of the General Data Protection Regulation,

(b) view information in relation to the personal data breaches, if any—

(i) which affect his or her personal data, and

(ii) in respect of which a notification has been made for the purposes of Article 34(1) of the General Data Protection Regulation,

(c) view a copy of a data-sharing agreement under which his or her personal data has been disclosed between public bodies, and

(d) send a request to a public body in relation to the exercise by him or her of the rights provided for in Articles 15, 16, 17, 18, 19, 20 and 21 of the General Data Protection Regulation.

(3) Where an information system referred to in subsection (1) includes a facility referred to in subsection (2) in respect of a public body, that public body shall use all reasonable endeavours to put in place and maintain technical and administrative measures for the purposes of—

(a) enabling the provision of the information referred to in subsection (2)(a), (b) and (c) held by that public body to the information system referred to in subsection (1) for the purpose of allowing it to be viewed by the data subject to whom it relates, and

(b) facilitating the sending of—

(i) a request referred to in subsection (2)(d), and

(ii) a response to such a request.

(4) A public body may disclose information to the Minister through the information system referred to in subsection (1) for the purpose of—

(a) providing the information referred to in subsection (2)(a), (b) or (c), or

(b) facilitating or responding to a request referred to in subsection (2)(d).

(5) Information shall not be disclosed in accordance with subsection (4) unless the data subject concerned has—

(a) requested to view the information referred to in subsection (2)(a), (b) or (c), or

(b) made a request referred to in subsection (2)(d),

through the information system referred to in subsection (1).

(6) The information disclosed in accordance with subsection (4) shall be stored on the information system referred to in subsection (1) only for so long as is necessary to facilitate the completion of the actions referred to in subsection (2).

(7) A public body that discloses personal data to the Minister in accordance with subsection (4) shall be the controller in respect of that personal data for the purposes of the General Data Protection Regulation.

(8) Nothing in this section shall be construed as requiring the disclosure of information in relation to a person to that person where the disclosure of that information to that person—

(a) is prohibited under an enactment or a law of the European Union, or

(b) may be restricted in accordance with an enactment or a law of the European Union.

(9) In this section “personal data breach” has the same meaning as it has in the General Data Protection Regulation.