Analysis: DPC imposes €22,500 GDPR fine on Department of Health
Matheson partners Davinia Brennan, Anne-Marie Bohan, Deirdre Crowley, Carlo Salizzo and Michael Byrne and senior associate Connor Cassidy examine a recent DPC decision dealing with the scope of legal professional privilege restrictions under data protection law.
The Data Protection Commission (DPC) recently imposed a €22,500 fine on the Irish Department of Health (DOH) following an inquiry into its processing of personal data in relation to 29 open litigation claims.
The DPC’s statutory inquiry was commenced following public allegations in 2021 that the DOH had unlawfully collected and processed personal data about plaintiffs and their families in the context of litigation surrounding those plaintiffs’ special educational needs.
The DPC’s decision refers to various GDPR compliance issues, including transparency and lawfulness of data processing in the context of litigation proceedings, and compliance with the data minimisation and security obligations under the GDPR. In particular, the decision contains some noteworthy commentary in respect of the scope of the legal professional privilege restrictions under the Data Protection Act 2018.
The decision in brief
The DPC concluded that the DOH did not infringe data protection law by seeking information about the services that were being provided to plaintiffs in relation to cases where there was open litigation. However, the DPC found that the DOH did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families, as it had no lawful basis for processing such data, and also did so in breach of the data minimisation principle.
The broadly worded questions from the DOH included asking the HSE to share “any other issues [the] HSE feels worth mentioning”. The DPC found that this question resulted in the provision of personal details about the plaintiffs and their families, including “details of their living circumstances and jobs, whether their parents were having marital difficulties, whether the plaintiff was in a ‘crisis’…and in another case, information received directly from a plaintiff’s doctor”.
The DOH informed the DPC that they processed this personal data for the purposes of determining whether it was an appropriate time to reach out to the plaintiff to seek to settle the case. The DPC further found that the DOH failed to comply with its transparency obligations in respect of such data sharing, as it did not inform the plaintiffs of the information sharing practices between the DOH and the HSE in its privacy notice.
The maximum administrative fine that could be imposed by the DPC in this case was €1 million, as the DOH is a public authority. Having regard to the general conditions for imposing fines, as set out in Article 83 GDPR, the DPC imposed a fine of €22,500 for the DOH’s infringements of Articles 5(1)(c) (data minimisation principle), 6(1) and 9(1) (lawful basis requirements), 6(4) GDPR (further compatible processing requirements). The DPC also issued a reprimand on the DOH in respect of these infringements, as well as for infringements of Articles 5(1)(c) and 32(1) (security obligations) and 14 (transparency obligations). In addition, the DPC imposed a ban on the DOH processing the excessive personal data and special category data in the litigation files in question for the purposes of determining an appropriate time to settle a case.
Findings in respect of each issue
Issue A: Whether the DOH had a lawful basis for processing, and complied with the data minimisation principle
The DPC found that sections 41 and 47 of the 2018 Act permit controllers to process personal data and special categories of personal data, where “necessary and proportionate” for the purposes of providing or obtaining legal advice or in the context of legal proceedings. In addition, the DPC acknowledged that section 38 of the Data Protection Act and the Health Act 2004 provided a lawful basis for processing that was “necessary and proportionate” for the performance of the DOH’s functions, and that such “functions” include defending legal claims and litigation.
However, the DPC found that the processing of information obtained in response to broad scoping questions sent to the HSE for the purposes of seeking to settle a case was excessive and disproportionate to the aims pursued by the DOH and that processing for this reason was not necessary for the purposes of litigation. Accordingly, the processing did not meet the necessity and proportionality test in sections 38 and 41 of the 2018 Act.
In addition, the DPC did not consider that the repurposing by the DOH of information originally acquired by the HSE about the private lives of the plaintiffs and their families to be compatible with the original purpose, as required by Article 6(4) GDPR. While the DPC noted that section 41 of the 2018 Act permits repurposing of personal data where it is necessary and proportionate for the purposes of legal proceedings, the DPC stated that “Article 6(4) GDPR takes supremacy over Irish law, and the compatibility test must apply equally when controllers seek to rely on section 41”.
Accordingly, the DPC concluded that there was no lawful basis under GDPR for this processing, and the DOH had infringed Articles 6(1), 6(4) and 9(1) GDPR. In addition, the DPC found that the DOH had further infringed the principle of data minimisation under Article 5(1)(c) GDPR by processing this data.
Issue B: Whether the DOH could rely on the legal professional privilege exceptions to restrict the scope of its transparency obligations
The DPC also found that the DOH had infringed its transparency obligations under Article 14 GDPR, as its privacy notice did not convey that information would be shared between government departments for litigation purposes, nor did it include any details about the data sharing practices between the DOH and the HSE. In determining whether the DOH had infringed Article 14 GDPR, the DPC considered whether the DOH could rely on the legal professional privilege (LPP) restrictions in the 2018 Act to avoid providing information about its data sharing practices in its privacy notice.
Two key LPP are set out in the 2018 Act, namely section 60(3)(a)(iv) and section 162. Whilst section 162 does not appear to have been raised by the DOH in its responses to the DPC, the decision addresses both of these provisions.
It is noteworthy that, in examining the potential application of these provisions, the DPC applied a necessity and proportionality assessment in respect of both these restrictions. This is interesting as section 60(3)(a)(iv) is expressly subject to a ‘necessity and proportionality’ requirement, whilst section 162 is not. The DPC stated that “while the words ‘necessary and proportionate’ are not included in section 162 of the 2018 Act, that section is an implementation of Article 23 GDPR, which requires all restrictions on data subject rights to be necessary and proportionate. More generally, any derogations from rights protected by the [Charter of Fundamental Rights] must be necessary and proportionate to the aim pursued.” The DPC, however, acknowledged that “the principles of necessity and proportionality remain to be considered by the Irish courts in the context of LPP”.
Ultimately, the DPC found that the DOH could not rely on either section 60(3)(a)(iv) or section 162 of the 2018 Act and ought to have included at least some summary information in its privacy notice about the data sharing practices that took place between the DOH and the HSE in relation to litigation. The DPC also found that it was not necessary or proportionate to restrict data subjects’ right to information in the circumstances of this case.
Issue C: Whether the DOH complied with its security obligations
The DPC further found that the DOH infringed its security obligations under Articles 5(1)(f) and 32(1) GDPR by failing to implement internal access restrictions in relation to its litigation files.
The decision shows that in cases where personal data is processed for the purposes of the defence of legal proceedings, controllers will need to justify the relevance of the personal data to that purpose from a necessity and proportionality point of view.
However, the DPC’s application of the ‘necessity and proportionality’ test in respect of section 162 of the 2018 Act may be subject to further scrutiny in the courts in the future. There is no documented consideration as to why the Irish legislature chose not to expressly include the necessity and proportionality language in section 162, but did so for section 60.
It is arguable that the Irish legislature complied with the requirements of Article 23 by making the exception under section 162 narrow and directly aligning it with the existing common law doctrine of legal professional privilege. To require controllers to engage in a further analysis of ‘necessity and proportionality’ when considering the application of section 162 is arguably not what was intended by the Irish legislature and leaves scope for future challenge.
The decision further serves as a reminder of the importance of complying with the data minimisation principle, and ensuring that your organisation’s privacy notice informs data subjects of the categories of personal data processed and shared for litigation purposes, along with the lawful basis for such processing.