DPC (Ireland) - DPC Case Reference: IN-21-3-2

From GDPRhub
DPC - IN-21-3-2
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5 GDPR
Article 6(1) GDPR
Article 6(4) GDPR
Article 9(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 16.06.2023
Published:
Fine: 22,500 EUR
Parties: n/a
National Case Number/Name: IN-21-3-2
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: [https:https://www.dataprotection.ie/sites/default/files/uploads/2023-07/20230710_Full%20decision%20IN-21-3-2%20Dept%20of%20Health.pdf Irish DPA (in EN)]
Initial Contributor: LR

The Irish DPA fined the Department of Health €22,500 for processing personal data from people involved in litigation against it in an unsafe, excessive and non-transparent manner.

English Summary[edit | edit source]

Facts[edit | edit source]

In March 2021, the Irish DPA became aware of allegations made publicly by a staff member of the Department of Health (DOH). According to these allegations, the DOH, as a controller, collected and processed personal data of plaitinffs of health services to children with special education needs (SEN).

The DPA opened and inquiry to investigate 29 litigation files related to the matter.

On the files, the DPA found evidence that the controller collected information about services that were provided to plaintiffs and their families. To do so, the controller submitted broadly worded questions asking the Health Services Executive (HSE) - an agency under it remit - to share “any other issues HSE feels worth mentioning.” This broad question resulted in the provision of private information about the lives of plaintiffs and their families, including details about plaintiff’s jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff.

In response to the DPA, the controller claimed that personal data were processed only for the purposes of determining whether an approach should be made to the plaintiff to seek to settle the case.

Holding[edit | edit source]

The DPA clarified that, under sections 41 and 47 of the Data Protection Act 2018, controllers can process personal data where it is necessary to provide or obtain legal advice or in the context of legal proceedings. On the other hand, it emphasized that this processing must respect the principles of necessity and proportionality.

In the case at hand, the DPA found that the controller did not infringe data protection law by seeking information about the services that were being provided to plaintiffs in relation to cases where there was open litigation. However, the DPA found that the controller did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families.

According to the DPA, the information collected was excessive and disproportionate to the aims pursued by the controller and the processing for this reason was not necessary for the purposes of litigation. Therefore, the DPA found that there was no lawful basis for this processing in the files examined, and that the controller had infringed the principle of data minimisation.

Additionally, the DPA concluded that the controller had violated its transparency obligations under the GDPR. The inquiry found that it did not include details of its practices in its privacy notice. In particular, the privacy notice did not convey the extent of information sharing that took place between the controller and the HSE. The DPA held that the controller could not rely on any exemptions under the Data Protection Act 2018 to avoid providing summary information about those practices in its privacy policy.

Finally, the DPA found that the controller had infringed the requirements to process personal data securely since it ought to have ensured that better internal access restrictions were in place in relation to the files.

For these reasons, the DPA imposed a fine of €22,500 and a ban on the processing.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Inquiry concerning the Department of Health

(IN-21-3-2)

Date of Decision: 16 June 2023

The Data Protection Commission (DPC) has completed an inquiry into certain aspects of the Department of Health’s processing of personal data in 29 litigation files. The inquiry was commenced following public allegations in 2021 that the Department had unlawfully collected and processed personal data about plaintiffs and their families in special educational needs litigation.

On the files examined, the DPC found evidence that the Department sought information from the HSE about services that were provided to plaintiffs and their families. The Department also included broadly worded questions asking the HSE to share “any other issues HSE feels worth mentioning.” This broad question resulted in the provision of private information about the lives of plaintiffs and their families.

The Department told the DPC that they processed this personal data for the purposes of determining whether an approach should be made to the plaintiff to seek to settle the case. The DPC considered whether it complied with data protection law for the Department to process the personal data for this reason. Under sections 41 and 47 of the Data Protection Act 2018, controllers can process personal data where it is necessary to provide or obtain legal advice or in the context of legal proceedings. In order to determine whether personal data had been lawfully processed by the Department under this provision, the DPC applied the EU law principles of necessity and proportionality. 

The DPC found that the Department did not infringe data protection law by seeking information about the services that were being provided to plaintiffs in relation to cases where there was open litigation. However, the DPC found that the Department did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families. This information included details about plaintiff’s jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff.

The DPC found that the processing of information obtained in response to broad scoping questions sent to the HSE for the purposes of seeking to settle a case was excessive and disproportionate to the aims pursued by the Department and that the processing for this reason was not necessary for the purposes of litigation. Therefore the DPC found that there was no lawful basis for this processing in the files examined, and that the Department had infringed the principle of data minimisation by processing this personal data.

Having regard to the relevant factors under the GDPR and the fining cap for public authorities under the Data Protection Act 2018, the DPC decided to impose a fine of €22,500 for these infringements. The DPC also imposed a ban on further processing the sensitive data in the files examined for the purposes of determining an appropriate time to settle a case.

During the inquiry, the DPC found that the Department retained other information that it had collected from the HSE and that it had received from other government departments on its files. The DPC did not find evidence on the 29 litigation files examined that the Department had proactively sought information from other government departments. The DPC also did not find an infringement of data protection law arising from the fact that the Department stored this information for the purposes of defending litigation. The files relate to active litigation and the DPC recognised that there are a number of obligations that require defendants to retain documents that relate to open litigation.

Additionally, the DPC found infringements of the transparency obligations under the GDPR. The inquiry found that the Department did not include details of its practices in its privacy notice. In particular, the privacy notice did not convey the extent of information sharing that took place between the Department and the HSE. The DPC found that the Department could not rely on any exemptions under the Data Protection Act 2018 to avoid providing summary information about those practices in its privacy policy.

The DPC also found that the Department had infringed the requirements to process personal data securely. The inquiry found that the Department ought to have ensured that better internal access restrictions were in place in relation to the files. 

In addition to the fine and ban on processing outlined above, a reprimand was imposed for all of the infringements.

For more information, you can download the full decision - Inquiry concerning the Department of Health (PDF, 1.35mb) June 2023.