A few weeks ago I did a lot of research to find the specific section of legislation that authorised Irish Water to request PPSN details from people. It is Section 20 of the Social Welfare and Pensions Act 2014.
So, a bit of a law was done to do a thing. But could that thing actually be done? Were other things needed to be done to make the request of and processing of PPS numbers lawful?
Simon McGarr correctly points out that putting a body on the list of registered bodies is only part of the governance. A protocol is required to be in place governing the use of the data which needs to be approved by the Minister. http://www.mcgarrsolicitors.ie/2014/10/22/irish-water-ppsns-and-the-missing-ministers-agreement/
That protocol appears not to have been in place as of the end of September. After the forms were finalised and sent out. Any PPSN data obtained prior to the finalisation of such protocols was obtained unlawfully. This is a failure of Data Governance. A key Regulatory requirement appears to have been missed.
This is a good example of how doing “a bit o’law” to enable sharing of data is insufficient to ensure compliance. In the absence of a strong Data Governance function to ensure that the right things are done in the right way errors occur, disproportionate processing takes place, and groupthink takes hold. I discuss this at length in a submission my company Castlebridge Associates made in conjunction with Digital Rights Ireland to the Dept of Public Expenditure and Reform on a proposed Data Sharing and Governance Bill.
That document is here: http://castlebridge.ie/products/whitepapers/2014/09/data-governance-and-sharing-bill-consultation-submission