DPC (Ireland) - DPC Case Reference: IN-21-3-2

From GDPRhub
Revision as of 19:45, 16 July 2023 by Tsholohope (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC |DPA_With_Country=DPC (Ireland) |Case_Number_Name=DPC Case Reference: IN-21-3-2 |ECLI= |Original_Source_Name_1=Data Protection Commission |Original_Source_Link_1=https://www.dataprotection.ie/en/resources/law/decisions/Inquiry-concerning-the-Department-of-Health |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC - DPC Case Reference: IN-21-3-2
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 6(4) GDPR
Article 9(1) GDPR
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: 22,500 EUR
Parties: Department of Health
National Case Number/Name: DPC Case Reference: IN-21-3-2
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: Tsholofelo Rantao

The DPC found that: - The DOH did not take appropriate technical and organisational measures to ensure compliance with the GDPR provisions it breached. - The organisational measures implemented undermined the principle of data minimisation and the requirements to have a lawful basis for processing, as set out in Articles 6 and 9 of the GDPR. Therefore, DOH did not implement appropriate technical and organisational measures to ensure compliance with Article 25 data protection by design and default, As a result, the DOH breached Articles 5(1)(c), 6(1), 6(4) and 9(1), and the DPC therefore imposed three corrective measures, including a prohibition on processing in the terms set out in Part 9B of this decision, a reprimand and a fine of €22,500.

English Summary

Facts

The DPC found that the Department of Health (DOH) had breached the Data Protection Act by asking broad questions that led to the provision of sensitive information about members of the public who had a history of litigation against the Department. The DPC was made aware of the allegations by a DOH employee ("whistleblower"). On 25 March 2021, the DPC became aware of allegations made by a DOH staff member that highlighted the way in which the DOH collected and processed the personal data of members of the public. After seeing a prime-time broadcast on RTE 1 about the allegations made, the Data Protection Commissioner made an inquiry under section 110(1) of the 2018 Act. The DOH sets policy on the provision of health services to children with special educational needs ('SEN' or 'SENs'), with the aim of supporting these children to access an education appropriate to their needs.

Holding

The DPC's inquiry focused on Articles 5(1)(a), 5(1)(b), 5(1)(c), 5(2), 6, 9, 14, 24, 25, 30 and 35 of the GDPR. It also focused on data protection governance and the security of personal data. The data that was the subject of the investigation included information held in filing systems and processed by automated means. The information related to claimants who had initiated litigation against the DOH, including information about their family members. Three issues were identified, the first being whether the DOH had a lawful basis under Articles 6 and 9 of the GDPR to process certain categories of personal data of data subjects in its SENs litigation files and whether it complied with the principle of data minimisation in relation to that processing.

The second was whether the DOH could legitimately rely on Article 23 GDPR and Section 60(3)(a)(iv) or 162 of the 2018 Act to limit the scope of its Article 14 GDPR obligation to provide transparent information to data subjects in relation to SENs cases, where personal information about data subjects was obtained from sources other than the data subjects.

And third, whether the DOH had complied with its obligations under Articles 5(1)(f) and 10 32(1) GDPR in relation to internal access to its litigation files. The DOH was required to maintain the integrity and confidentiality of the litigation files.

Comment

Following allegations made in a news programme, the DPC and Case Officers did an excellent job in ensuring that the rights and freedoms of data subjects were protected.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details. 

Inquiry concerning the Department of Health

(IN-21-3-2)

Date of Decision: 16 June 2023

The Data Protection Commission (DPC) has completed an inquiry into certain aspects of the Department of Health’s processing of personal data in 29 litigation files. The inquiry was commenced following public allegations in 2021 that the Department had unlawfully collected and processed personal data about plaintiffs and their families in special educational needs litigation.

On the files examined, the DPC found evidence that the Department sought information from the HSE about services that were provided to plaintiffs and their families. The Department also included broadly worded questions asking the HSE to share “any other issues HSE feels worth mentioning.” This broad question resulted in the provision of private information about the lives of plaintiffs and their families.

The Department told the DPC that they processed this personal data for the purposes of determining whether an approach should be made to the plaintiff to seek to settle the case. The DPC considered whether it complied with data protection law for the Department to process the personal data for this reason. Under sections 41 and 47 of the Data Protection Act 2018, controllers can process personal data where it is necessary to provide or obtain legal advice or in the context of legal proceedings. In order to determine whether personal data had been lawfully processed by the Department under this provision, the DPC applied the EU law principles of necessity and proportionality. 

The DPC found that the Department did not infringe data protection law by seeking information about the services that were being provided to plaintiffs in relation to cases where there was open litigation. However, the DPC found that the Department did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families. This information included details about plaintiff’s jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff.

The DPC found that the processing of information obtained in response to broad scoping questions sent to the HSE for the purposes of seeking to settle a case was excessive and disproportionate to the aims pursued by the Department and that the processing for this reason was not necessary for the purposes of litigation. Therefore the DPC found that there was no lawful basis for this processing in the files examined, and that the Department had infringed the principle of data minimisation by processing this personal data.

Having regard to the relevant factors under the GDPR and the fining cap for public authorities under the Data Protection Act 2018, the DPC decided to impose a fine of €22,500 for these infringements. The DPC also imposed a ban on further processing the sensitive data in the files examined for the purposes of determining an appropriate time to settle a case.

During the inquiry, the DPC found that the Department retained other information that it had collected from the HSE and that it had received from other government departments on its files. The DPC did not find evidence on the 29 litigation files examined that the Department had proactively sought information from other government departments. The DPC also did not find an infringement of data protection law arising from the fact that the Department stored this information for the purposes of defending litigation. The files relate to active litigation and the DPC recognised that there are a number of obligations that require defendants to retain documents that relate to open litigation.

Additionally, the DPC found infringements of the transparency obligations under the GDPR. The inquiry found that the Department did not include details of its practices in its privacy notice. In particular, the privacy notice did not convey the extent of information sharing that took place between the Department and the HSE. The DPC found that the Department could not rely on any exemptions under the Data Protection Act 2018 to avoid providing summary information about those practices in its privacy policy.

The DPC also found that the Department had infringed the requirements to process personal data securely. The inquiry found that the Department ought to have ensured that better internal access restrictions were in place in relation to the files. 

In addition to the fine and ban on processing outlined above, a reprimand was imposed for all of the infringements.

For more information, you can download the full decision - Inquiry concerning the Department of Health (PDF, 1.35mb) June 2023. 
Retrieved from "https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_DPC_Case_Reference:_IN-21-3-2&oldid=34010"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki