Tynwald put itself on a collision course with the Information Commissioner - and potentially the European Commission - over changes to data protection rules.
It came after the Clerk of Tynwald’s Office rejected on the grounds of parliamentary privilege two separate subject access requests for personal information made the same day.
One of these was from a witness who gave highly-sensitive information to a Tynwald committee and wanted a copy of the evidence they had given.
The other involved information relating to a pending employment tribunal claim against the Clerk of Tynwald’s Office.
This led to a ruling in Tynwald by president Steve Rodan at the October sitting, on the advice of Clerk of Tynwald Roger Phillips, which stated that the parliamentary privilege exemption should be the default position when subject access requests are made by members of the public.
An investigation into a complaint made to the Information Commissioner concluded that the Clerk of Tynwald had infringed GDPR data protection legislation by refusing to comply with the subject access requests and applying the parliamentary privilege exemption without justification.
It also led to an enforcement notice being issued against the Clerk of Tynwald’s Office.
Following the Commissioner’s intervention, and on the advice of the Attorney General’s Chamber’s, Mr Rodan withdrew his ruling at the January Tynwald.
Then at the March sitting, Tynwald approved changes to GDPR data protection legislation.
Policy and Reform Minister Ray Harmer told the court there was a clash between two opposing principles: the right of the Information Commissioner to supervise the handling of personal data, and Tynwald’s constitutional right to manage its own affairs.
This clash of principle had been played out, he said, through a data subject access request from a witness before a ’highly sensitive committee inquiry’.
A new regulation was inserted making the right of access to personal data exempt where this would infringe the privileges of Tynwald and its branches.
Amendments to other regulations allow Tynwald not to give information to the Information Commissioner or comply with an enforcement notice.
Douglas Central MHK Chris Thomas, who raised concerns about the changes when the motion was debated in March, said: ’The European Commission will need to consider the adequacy of our data protection arrangements.
’This matter might be something it takes into account, certainly if it becomes clear that the Isle of Man is not compliant in respect of how parliamentary privilege is handled.’
Information Commissioner Iain McDonald explained the right of individuals to request access to their own personal data originates from a Council of Europe convention which has applied to the Isle of Man since 1993.
It is also covered by EU General Data Protection Regulation rules on controlling and processing personal data which came into force in May 2018.
He said: ’The president’s blanket ruling was contrary to both Convention 108 and the GDPR.
’Tynwald has decided that when it refuses an individual the right of access to personal data that individual cannot make a complaint to the Information Commissioner for independent investigation.
’It is for the European Commission to determine whether the actions of the Clerk of Tynwald in response to receipt of a subject access request and subsequent amendments to the island’s legislation mean that the island continues to meet the criteria for adequacy.’
He added: ’Importantly, I believe that as a result of my Offices’ investigation , the vulnerable individual that the Minister referred to has been provided with his personal data.’