Statement on collation of dossiers by Department of Heath and Departmental ROPA document

We were disturbed by recent revelations on RTE’s Prime Time Investigates in relation to the Department of Health. According to the program, the Department was collating dossiers on families who had made claims against the Department and other state bodies to seek to obtain their children’s rights. 

Under data protection law, data controllers (organizations who make use of  the personal data of others) like the Department of Health are required to prepare and maintain a ‘record of processing activities’. This record is supposed to set out in detail the personal data collected and processed by the organization.  

Digital Rights Ireland has obtained a copy of the Department of Health’s internal statutory Record of Processing Activity (ROPA) document from 2019.

We note that the department’s statement yesterday refers to the collection, processing and sharing of personal data of autistic children who had litigated on their rights as “normal practice”.

In that light, we do not know why this processing would have been kept secret from the department’s own Data Protection Officer and not placed on their statutory register of processing activities.

Line 33 in the ROPA records that the Department of Health collects data on ‘members of the public’ for the purpose of “Legal Cases”. 

However, it avoids specifying the sources of that data- an evasion not followed anywhere else on the ROPA. It simply says the data is sourced from “CSSO and other parties involved”. 

The Prime Time Investigates program has demonstrated that sensitive personal data has been obtained directly from clinical professionals, under direct request not to inform “the plaintiffs…their families or their legal representatives”. Clinical practitioners are not ‘parties involved’ in litigation.

This description does not agree with what is described in the ROPA, under Line 33, or elsewhere.

This does not meet the requirements of the GDPR described in Recital 39; “It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.”

We are concerned that this behavior will serve to undermine confidence in other initiatives the Department is supposed to be leading and directing such as the Health Identifier and the Electronic Health Record. It is inevitable that these projects will now need to be reconsidered and recast, so patients can have confidence that their records will be used only for medical purposes, and not for the assembly of secret dossiers. 

It is critical that data protection law be followed, both in spirit and to the letter where patients’ private medical information is concerned. 

The Department’s ROPA states that it processes this data under a ‘Legal Obligation’. We know of no legal obligation to process sensitive data on vulnerable children and their families obtained from their clinicians under a veil of secrecy, in breach of EU Law. We know of many obligations not to do so.

Department of Health_ROPA 2019 (Microsoft Excel file)