DPC (Ireland) - DPC Case Reference: IN-21-3-2: Difference between revisions

Revision as of 09:32, 18 July 2023

The Irish DPA fined the Department of Health €22,500 for processing in an unsafe, excessive and non-transparent manner, personal data from people involved in litigation against it.

English Summary

Facts

In March 2021, the Irish DPA became aware of allegations made publicly by a staff member of the Department of Health (DOH). According to these allegations, the DOH, as a controller, collected and processed personal data of plaitinffs of health services to children with special education needs (SEN).

The DPA opened and inquiry to investigate 29 litigation files related to the matter.

On the files, the DPA found evidence that the controller collected information about services that were provided to plaintiffs and their families. To do so, the controller submitted broadly worded questions asking the Health Services Executive (HSE) - an agency under it remit - to share “any other issues HSE feels worth mentioning.” This broad question resulted in the provision of private information about the lives of plaintiffs and their families, including details about plaintiff’s jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff.

In response to the DPA, the controller claimed that personal data were processed only for the purposes of determining whether an approach should be made to the plaintiff to seek to settle the case.

Holding

The DPA clarified that, under sections 41 and 47 of the Data Protection Act 2018, controllers can process personal data where it is necessary to provide or obtain legal advice or in the context of legal proceedings. On the other hand, it emphasized that this processing must respect the principles of necessity and proportionality.

In the case at hand, the DPA found that the controller did not infringe data protection law by seeking information about the services that were being provided to plaintiffs in relation to cases where there was open litigation. However, the DPA found that the controller did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families.

According to the DPA, the information collected was excessive and disproportionate to the aims pursued by the controller and the processing for this reason was not necessary for the purposes of litigation. Therefore, the DPA found that there was no lawful basis for this processing in the files examined, and that the controller had infringed the principle of data minimisation.

Additionally, the DPA concluded that the controller had violated its transparency obligations under the GDPR. The inquiry found that it did not include details of its practices in its privacy notice. In particular, the privacy notice did not convey the extent of information sharing that took place between the controller and the HSE. The DPA held that the controller could not rely on any exemptions under the Data Protection Act 2018 to avoid providing summary information about those practices in its privacy policy.

Finally, the DPA found that the controller had infringed the requirements to process personal data securely since it ought to have ensured that better internal access restrictions were in place in relation to the files.

For these reasons, the DPA imposed a fine of €22,500 and a ban on the processing.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Inquiry concerning the Department of Health

(IN-21-3-2)

Date of Decision: 16 June 2023

The Data Protection Commission (DPC) has completed an inquiry into certain aspects of the Department of Health’s processing of personal data in 29 litigation files. The inquiry was commenced following public allegations in 2021 that the Department had unlawfully collected and processed personal data about plaintiffs and their families in special educational needs litigation.

On the files examined, the DPC found evidence that the Department sought information from the HSE about services that were provided to plaintiffs and their families. The Department also included broadly worded questions asking the HSE to share “any other issues HSE feels worth mentioning.” This broad question resulted in the provision of private information about the lives of plaintiffs and their families.

The Department told the DPC that they processed this personal data for the purposes of determining whether an approach should be made to the plaintiff to seek to settle the case. The DPC considered whether it complied with data protection law for the Department to process the personal data for this reason. Under sections 41 and 47 of the Data Protection Act 2018, controllers can process personal data where it is necessary to provide or obtain legal advice or in the context of legal proceedings. In order to determine whether personal data had been lawfully processed by the Department under this provision, the DPC applied the EU law principles of necessity and proportionality. 

The DPC found that the Department did not infringe data protection law by seeking information about the services that were being provided to plaintiffs in relation to cases where there was open litigation. However, the DPC found that the Department did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families. This information included details about plaintiff’s jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff.

The DPC found that the processing of information obtained in response to broad scoping questions sent to the HSE for the purposes of seeking to settle a case was excessive and disproportionate to the aims pursued by the Department and that the processing for this reason was not necessary for the purposes of litigation. Therefore the DPC found that there was no lawful basis for this processing in the files examined, and that the Department had infringed the principle of data minimisation by processing this personal data.

Having regard to the relevant factors under the GDPR and the fining cap for public authorities under the Data Protection Act 2018, the DPC decided to impose a fine of €22,500 for these infringements. The DPC also imposed a ban on further processing the sensitive data in the files examined for the purposes of determining an appropriate time to settle a case.

During the inquiry, the DPC found that the Department retained other information that it had collected from the HSE and that it had received from other government departments on its files. The DPC did not find evidence on the 29 litigation files examined that the Department had proactively sought information from other government departments. The DPC also did not find an infringement of data protection law arising from the fact that the Department stored this information for the purposes of defending litigation. The files relate to active litigation and the DPC recognised that there are a number of obligations that require defendants to retain documents that relate to open litigation.

Additionally, the DPC found infringements of the transparency obligations under the GDPR. The inquiry found that the Department did not include details of its practices in its privacy notice. In particular, the privacy notice did not convey the extent of information sharing that took place between the Department and the HSE. The DPC found that the Department could not rely on any exemptions under the Data Protection Act 2018 to avoid providing summary information about those practices in its privacy policy.

The DPC also found that the Department had infringed the requirements to process personal data securely. The inquiry found that the Department ought to have ensured that better internal access restrictions were in place in relation to the files. 

In addition to the fine and ban on processing outlined above, a reprimand was imposed for all of the infringements.

For more information, you can download the full decision - Inquiry concerning the Department of Health (PDF, 1.35mb) June 2023.

@@ Line 1: / Line 1: @@
-{{DPAdecisionBOX
+The Irish DPA fined  the Department of Health €22,500 for processing in an unsafe, excessive and non-transparent manner, personal data from people involved in litigation against it.
-|Jurisdiction=Ireland
+== English Summary ==
-|DPA-BG-Color=background-color:#013d35;
-|DPAlogo=LogoIE.png
-|DPA_Abbrevation=DPC
-|DPA_With_Country=DPC (Ireland)
-|Case_Number_Name=DPC Case Reference: IN-21-3-2
+=== Facts ===
-|ECLI=
+In March 2021, the Irish DPA became aware of allegations made publicly by a staff member of the Department of Health (DOH). According to these allegations, the DOH, as a controller, collected and processed personal data of plaitinffs of health services to children with special education needs (SEN).
-|Original_Source_Name_1=Data Protection Commission
+The DPA opened and inquiry to investigate 29 litigation files related to the matter.
-|Original_Source_Link_1=https://www.dataprotection.ie/en/resources/law/decisions/Inquiry-concerning-the-Department-of-Health
-|Original_Source_Language_1=English
-|Original_Source_Language__Code_1=EN
-|Original_Source_Name_2=
-|Original_Source_Link_2=
-|Original_Source_Language_2=
-|Original_Source_Language__Code_2=
-|Type=Other
+On the files, the DPA found evidence that the controller collected information about services that were provided to plaintiffs and their families. To do so, the controller submitted broadly worded questions asking the Health Services Executive (HSE) - an agency under it remit - to share “any other issues HSE feels worth mentioning.” This broad question resulted in the provision of private information about the lives of plaintiffs and their families, including details about plaintiff’s jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff.
-|Outcome=
-|Date_Started=
-|Date_Decided=
-|Date_Published=
-|Year=
-|Fine=22,500
-|Currency=EUR
-|GDPR_Article_1=Article 5(1)(c) GDPR
+In response to the DPA, the controller claimed that personal data were processed only for the purposes of determining whether an approach should be made to the plaintiff to seek to settle the case.
-|GDPR_Article_Link_1=Article 5 GDPR#1c
-|GDPR_Article_2=Article 6(1) GDPR
-|GDPR_Article_Link_2=Article 6 GDPR#1
-|GDPR_Article_3=Article 6(4) GDPR
-|GDPR_Article_Link_3=Article 6 GDPR#4
-|GDPR_Article_4=Article 9(1) GDPR
-|GDPR_Article_Link_4=Article 9 GDPR#1
-|GDPR_Article_5=
-|GDPR_Article_Link_5=
-|GDPR_Article_6=
-|GDPR_Article_Link_6=
-|EU_Law_Name_1=
+=== Holding ===
-|EU_Law_Link_1=
+The DPA clarified that, under sections 41 and 47 of the Data Protection Act 2018, controllers can process personal data where it is necessary to provide or obtain legal advice or in the context of legal proceedings. On the other hand, it emphasized that this processing must respect the principles of necessity and proportionality.
-|EU_Law_Name_2=
-|EU_Law_Link_2=
-|National_Law_Name_1=
-|National_Law_Link_1=
-|National_Law_Name_2=
-|National_Law_Link_2=
-|Party_Name_1=Department of Health
-|Party_Link_1=
-|Party_Name_2=
-|Party_Link_2=
-|Party_Name_3=
-|Party_Link_3=
-|Appeal_To_Body=
-|Appeal_To_Case_Number_Name=
-|Appeal_To_Status=Unknown
-|Appeal_To_Link=
-|Initial_Contributor=Tsholofelo Rantao
-|
-}}
-The DPC found that:
-- The DOH did not take appropriate technical and organisational measures to ensure compliance with the GDPR provisions it breached.
-- The organisational measures implemented undermined the principle of data minimisation and the requirements to have a lawful basis for processing, as set out in Articles 6 and 9 of the GDPR. Therefore, DOH did not implement appropriate technical and organisational measures to ensure compliance with Article 25 data protection by design and default,
-As a result, the DOH breached Articles 5(1)(c), 6(1), 6(4) and 9(1), and the DPC therefore imposed three corrective measures, including a prohibition on processing in the terms set out in Part 9B of this decision, a reprimand and a fine of €22,500.
-== English Summary ==
-=== Facts ===
+In the case at hand, the DPA found that the controller did not infringe data protection law by seeking information about the services that were being provided to plaintiffs in relation to cases where there was open litigation. However, the DPA found that the controller did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families.
-The DPC found that the Department of Health (DOH) had breached the Data Protection Act by asking broad questions that led to the provision of sensitive information about members of the public who had a history of litigation against the Department. The DPC was made aware of the allegations by a DOH employee ("whistleblower").
-On 25 March 2021, the DPC became aware of allegations made by a DOH staff member that highlighted the way in which the DOH collected and processed the personal data of members of the public. After seeing a prime-time broadcast on RTE 1 about the allegations made, the Data Protection Commissioner made an inquiry under section 110(1) of the 2018 Act. The DOH sets policy on the provision of health services to children with special educational needs ('SEN' or 'SENs'), with the aim of supporting these children to access an education appropriate to their needs.
-=== Holding ===
+According to the DPA, the information collected was excessive and disproportionate to the aims pursued by the controller and the processing for this reason was not necessary for the purposes of litigation. Therefore, the DPA found that there was no lawful basis for this processing in the files examined, and that the controller had infringed the principle of data minimisation.
-The DPC's inquiry focused on Articles 5(1)(a), 5(1)(b), 5(1)(c), 5(2), 6, 9, 14, 24, 25, 30 and 35 of the GDPR. It also focused on data protection governance and the security of personal data. The data that was the subject of the investigation included information held in filing systems and processed by automated means. The information related to claimants who had initiated litigation against the DOH, including information about their family members.
-Three issues were identified, the first being whether the DOH had a lawful basis under Articles 6 and 9 of the GDPR to process certain categories of personal data of data subjects in its SENs litigation files and whether it complied with the principle of data minimisation in relation to that processing.
-The second was whether the DOH could legitimately rely on [[Article 23 GDPR|Article 23 GDPR]] and Section 60(3)(a)(iv) or 162 of the 2018 Act to limit the scope of its [[Article 14 GDPR|Article 14 GDPR]] obligation to provide transparent information to data subjects in relation to SENs cases, where personal information about data subjects was obtained from sources other than the data subjects.
+Additionally, the DPA concluded that the controller had violated its transparency obligations under the GDPR. The inquiry found that it did not include details of its practices in its privacy notice. In particular, the privacy notice did not convey the extent of information sharing that took place between the controller and the HSE. The DPA held that the controller could not rely on any exemptions under the Data Protection Act 2018 to avoid providing summary information about those practices in its privacy policy.
-And third, whether the DOH had complied with its obligations under Articles 5(1)(f) and 10 32(1) GDPR in relation to internal access to its litigation files. The DOH was required to maintain the integrity and confidentiality of the litigation files.
+Finally, the DPA found that the controller had infringed the requirements to process personal data securely since it ought to have ensured that better internal access restrictions were in place in relation to the files.
+For these reasons, the DPA imposed a fine of €22,500 and a ban on the processing.
 == Comment ==
-Following allegations made in a news programme, the DPC and Case Officers did an excellent job in ensuring that the rights and freedoms of data subjects were protected.
 == Further Resources ==