We were disturbed by recent revelations on RTE’s Prime-time show Investigates in regard to the Department of Health. According to the program, the Department was looking at dossiers on family members that had made cases versus the Department and other state bodies to seek to acquire their youngsters’s civil liberties.
Under data protection law, data controllers (organizations that make use of the personal data of others) like the Division of Health and wellness are required to prepare as well as maintain a ‘document of processing activities’. This record is meant to set out carefully the personal information collected as well as processed by the organization.
Digital Legal rights Ireland has actually acquired a duplicate of the Division of Health and wellness’s internal statutory Record of Handling Task (ROPA) file from 2019.
We note that the department’s statement the other day refers to the collection, processing and sharing of individual information of autistic youngsters who had actually prosecuted on their rights as “normal method”.
In that light, we do not understand why this handling would certainly have been concealed from the division’s own Data Protection Police officer and not positioned on their statutory register of processing activities.
Line 33 in the ROPA documents that the Department of Wellness gathers information on ‘members of the public’ for the objective of “Legal Situations”.
However, it avoids specifying the sources of that data- an evasion not complied with anywhere else on the ROPA. It simply says the information is sourced from “CSSO as well as other events entailed”.
The Prime-time television Explores program has actually demonstrated that sensitive personal information has been obtained straight from medical experts, under direct request not to notify “the complainants … their households or their legal reps”. Clinical specialists are not ‘parties included’ in lawsuits.
This summary does not agree with what is defined in the ROPA, under Line 33, or in other places.
This does not satisfy the needs of the GDPR described in Recital 39; “It must be clear to natural persons that personal information concerning them are accumulated, made use of, consulted or otherwise processed and to what extent the individual data are or will certainly be processed.”
We are concerned that this behavior will serve to weaken confidence in various other efforts the Division is meant to be leading as well as guiding such as the Wellness Identifier and the Electronic Health And Wellness Document. It is inescapable that these jobs will currently need to be reassessed and also recast, so clients can have self-confidence that their documents will certainly be made use of just for medical objectives, and also except the assembly of secret files.
It is essential that data defense regulation be adhered to, both in spirit and to the t where people’ private medical information is worried.
The Division’s ROPA specifies that it refines this information under a ‘Legal Obligation’. We understand of no legal obligation to procedure delicate data on at risk youngsters and also their households obtained from their clinicians under a shroud of privacy, in violation of EU Regulation. We know of lots of obligations not to do so.
Department of Health_ROPA 2019 (Microsoft Excel file)